Getting does not have authorization to perform action or scope is invalid.

Kalyani Wani 80 Reputation points
2023-01-24T11:25:02.23+00:00

We're getting the following error 'The client 'f774a339-7628-49ff-9829-49c522b6d49c' with object id 'f774a339-7628-49ff-9829-49c522b6d49c' does not have the authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read' over scope '/subscriptions/3535caf0-dd76-4e49-8666-cdbb6f15aa55' or the scope is invalid. If access was recently granted, please refresh your credentials.' We've already given a Contributor role and added a few custom roles such as:

1.'Microsoft.Authorization//write', 2.'Microsoft.Authorization//read', 3.'Microsoft.Resources/subscriptions/', 4.'Microsoft.Resources/subscriptions/resourceGroups/', 5.'Microsoft.Resources/subscriptions/resourcegroups/resources/', 6.'Microsoft.Resources/subscriptions/resources/', 7.'Microsoft.Resources/subscriptions/locations/*'

Still facing the same issue.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,068 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,310 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Akshay-MSFT 17,881 Reputation points Microsoft Employee
    2023-03-21T11:18:34.61+00:00

    @Kalyani Wani

    The error is not related to the user but to the application. Kindly look for application/SPN name with client ID: 'f774a339-7628-49ff-9829-49c522b6d49c.

    Navigate to the subscription > Choose the subscription > Add Role assignment > Reader > assign to the application SPN:

    User's image

    User's image

    User's image

    Thanks,

    Akshay Kaushik

    10 people found this answer helpful.

  2. TWA 20 Reputation points
    2024-02-14T10:56:04.32+00:00

    make sure you are in the right subscription. after you login with "Connect-AzAccount" go to "Select-AzSubscription -SubscriptionName 'X'

    4 people found this answer helpful.
    0 comments No comments

  3. Phạm Như Long 5 Reputation points
    2024-11-24T04:54:42.8566667+00:00

    {BC2D9396-1E6A-4A7A-BC38-6DC77654B9F8}

    I am experiencing the same issue as mentioned above. I am the owner of the project, but I don’t understand why I don’t have any permissions to remove in deny assignment and I also don't have permission to add new role too.

    1 person found this answer helpful.
    0 comments No comments

  4. Rohan Krishna Ullas 5 Reputation points Microsoft Employee
    2024-03-11T11:00:33.9166667+00:00

    Following the steps here helped me "https://learn.microsoft.com/en-us/azure/cosmos-db/managed-identity-based-authentication?tryIt=true&source=docs#code-try-1". I had to add a custom role from Azure Command shell to get access

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.