![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 34%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGL%3C/text%3E%3C/svg%3E)
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
243 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Hi Ghassen Latrach,
Welcome to Microsoft Q&A Forum, thank you for posting your query here!
It looks like your account has been added to a Deny Assignment at the root level, which prevents you from performing any actions in your subscription.
This may have happened because you were running scripts using access tokens from your account, and Microsoft may have applied this policy to restrict your access.
For example, actions like: Microsoft.Insights/Metrics/write was not allowed
Warning: If a service principal repeatedly hits the GIG endpoint without proper permissions, it may get blacklisted.
Try the Following Solutions
- Solution 1: Remove the Deny Assignment
Go to the Azure Portal: https://portal.azure.com
Navigate to "Subscriptions" and select your subscription.
Go to "Access Control (IAM)" at the root scope ('/').
Find the "Deny Assignments" tab.
Look for your Object ID (e.g., 653ad2b4ae4b4bb3a7e62651f19ddba9) or Name.
Remove or Modify the Deny Assignment as needed.
If it is in Read mode try Solution2
- Solution 2: Create a New Azure AD User and Assign Owner Role
If Solution 1 doesn’t work, create a new admin account and use it to remove the deny assignment.
Step 1: Create a New User in Azure AD
Open Azure Portal → Go to Microsoft Entra ID (Azure AD) > Users.
Click "+ New user".
Enter User Details:
User Type: Member
Username: newuser@yourdomain.onmicrosoft.com
Name: <Full Name>
Password: Auto-generated Click "Create".
Step 2: Assign "Owner" Role to the New User
Go to "Subscriptions" → Select your subscription.
Navigate to "Access Control (IAM)".
Click "+ Add" > "Add role assignment".
Choose "Owner" → Click Next.
Select the newly created user (newuser@yourdomain.onmicrosoft.com).
Click "Review + Assign".
Step 3: Remove Deny Assignment Using the New Account
Log in with the newly created account.
Try removing the Deny Assignment as described in Solution 1.
Alternatively, run the following PowerShell command:
Remove-AzRoleAssignment -ObjectId "your-object-id" -Scope "/" -RoleDefinitionName "Deny Assignment"
- Solution 3:
Log in to the Azure portal using the newly created account and attempt to create Azure resources.
Feel free to reach out if you have any further questions or need additional information—I’m happy to assist!
Please provide your valuable comments
Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.