none
Error while creating storage account by Resource group Owner

    Question

  • I am "Owner" of the Resource group and also have role "Storage Account Contributor" in this RG.

    When I try to create new storage account I receive the error:

    Registering the resource providers has failed.
    Additional details from the underlying API that might be helpful: 'AuthorizationFailed' -
    The client '...' with object id '...'
    does not have authorization to perform action 'Microsoft.Storage/register/action'
    over scope '/subscriptions/guid'. (Code: AuthorizationFailed)

    What is the reason of this error?

    Thursday, June 16, 2016 6:23 AM

All replies

  • Hi,

    Thank you for posting here!

    You may receive an error during deployment because the account or service principal attempting to deploy the resources does not have access to perform those actions. Azure Active Directory enables you or your administrator to control which identities can access what resources with a great degree of precision. For example, if your account is assigned to the Reader role, it will not be able to create new resources. In that case, you should see an error message indicating that authorization failed.

    For more information about role-based access control, see Azure Role-Based Access Control.

    In addition to role-based access control, your deployment actions may be limited by policies on the subscription. Through policies, the administrator can enforce conventions on all resources deployed in the subscription. For example, an administrator can require that a particular tag value be provided for a resource type. If you have not fulfilled the policy requirements, you will receive an error during deployment. For more information about policies, see  Use Policy to manage resources and control access.

    Please refer the below mentioned link to troubleshoot common errors when deploying resources to Azure with Azure Resource Manager:

    https://azure.microsoft.com/en-in/documentation/articles/resource-manager-common-deployment-errors/

    Regards,

    Vikranth S.

    Please remember to click "Mark as Answer" on the post that helps you, this can be beneficial to other community members reading the thread. And Vote as Helpful.

    Thursday, June 16, 2016 2:05 PM
    Moderator
  • Are you robot?

    Did you read my question?

    I am the "Owner" of the Resource group! What "Reader Role" are you talking about?

    Please don't copy-paste this bla-bla-bla from MS-documentation.

    Friday, June 17, 2016 6:42 AM
  • (LOL). I tried this by assigning the role of Owner for a resource group to a user in my AD. Then I assigned them Storage Account Contributor. And it does let me create a new storage account in that resource group. So if that's what you're trying to do, you're right, it should work.

    I thought maybe it would let you manage the storage account but not add new ones. In case you're interested, you can check the allowed and disallowed actions on each role that can be assigned to a user here: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles

    Can you make sure that you're putting the new storage account in the same resource group?

    When you go into the resource group and look at the Users, you're listed and you have roles Owner and Storage Account Contributor, right?

    Can you be sure you're logged in as the right user? (I know, I know, but I have to ask, we've all done dumb things.)

    Robin


    Sr. Content Developer at Microsoft

    Thursday, June 30, 2016 8:12 PM