Share via

DenyAssignmentAuthorizationFailed

iheb sliti 0 Reputation points
2025-01-25T09:40:09.5666667+00:00

Hello , I got this error when i tried to create an azure resource (my role is owner and i cannot contact the admin) : 

{
  "error": {
    "code": "DenyAssignmentAuthorizationFailed",
    "message": "The client '******@Exxx.u-xxxx.tn' with object id '0142-4031-acab-c061744a1e33' has permission to perform action 'Microsoft.Resources/subscriptions/resourceGroups/write' on scope '/subscriptions/98e2-ddf2ceafac45/resourceGroups/test'; however, the access is denied because of the deny assignment with name '[UnusualActivity] Full Deny assignment on dbd6664d-4eb9-46eb-99d8-5c43ba153c61 for user 00000000-0000-0000-0000-000000000000 at root added' and Id 'd49127ba81c54b0b925fedfbdcb01d07' at scope '/'."
  }
}
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,700 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chaithra E 790 Reputation points Microsoft External Staff
    2025-02-13T11:28:32.8533333+00:00

    Hello @iheb sliti ,

    A Deny Assignment is blocking the creation of the Azure resource. Deny assignments prevent certain Azure actions, even if the user has a role assignment that grants them access to the resource.

    Deny assignments are managed by Azure to protect resources, and you cannot create them directly. However, you can set deny rules when creating a deployment stack, which will generate a deny assignment tied to the resources of that stack.

    For additional details on how to protect managed resources and to compare role assignments with deny assignments, including their properties, please refer to the following documents.

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell#protect-managed-resources

    https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments?tabs=azure-portal#compare-role-assignments-and-deny-assignments

    Identify the Deny Assignment: Check the resource group or specific resource to locate any deny assignments. This can be done through the Azure portal.

    Remove the Deny Assignment: In the Azure portal, navigate to the resource group, go to the "Access control (IAM)" section, and search for any deny assignments. If a deny assignment is found, you will need the appropriate permissions to remove it.

    vm01_2

    Users with any of the following roles, or users assigned custom roles, have the ability to remove deny assignments:

    Role-Based Access Control (RBAC) Administrator

    User Access Administrator

    Global Administrator

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.