Fixing Permission Denied Errors in Azure
Permission denied errors in Azure come in several distinct forms, each caused by a different underlying problem. Getting to the fix quickly requires reading the error message precisely — the HTTP status code, error code, and message body together point to which layer is blocking access. This guide walks through the most common causes of permission errors in Azure and how to diagnose and resolve each one.
Recognising the error
Azure permission errors typically appear as one of these messages:
The client '<identity>' with object id '<id>' does not have authorization
to perform action 'Microsoft.Storage/storageAccounts/write' over scope
'/subscriptions/<sub_id>/resourceGroups/myRG' or the scope is invalid.
If access was recently granted, please refresh your credentials.
(Code: AuthorizationFailed)Resource 'myStorage' was disallowed by policy. Policy identifiers:
'[{"policyAssignment":{"name":"Deny-Public-Storage","id":"/subscriptions/..."},
"policyDefinition":{"name":"deny-public-blob-access"}}]'
(Code: RequestDisallowedByPolicy)Caller is not authorized to access resource '/subscriptions/.../vaults/myVault/secrets/mySecret'.
(Code: Forbidden)Each error code leads to a different diagnostic path. AuthorizationFailed means an RBAC role is missing. RequestDisallowedByPolicy means an Azure Policy is blocking the action. Forbidden on a Key Vault means either the RBAC data plane role or the Key Vault Access Policy is missing.
Step 1: Check the current RBAC assignments
Start by listing every role assignment for the identity that is receiving the error. This shows what roles are currently assigned and at what scope.
# List all role assignments for a user (by UPN)
az role assignment list \
--assignee user@company.com \
--all \
--query "[].{Role:roleDefinitionName, Scope:scope}" \
--output table
# List all role assignments for a service principal (by client ID)
az role assignment list \
--assignee 00000000-0000-0000-0000-000000000001 \
--all \
--query "[].{Role:roleDefinitionName, Scope:scope}" \
--output table
# Check if a specific role is assigned at the required scope
az role assignment list \
--assignee user@company.com \
--scope /subscriptions/SUB_ID/resourceGroups/myRG \
--query "[].roleDefinitionName" \
--output tableCommon findings at this step: the role is assigned at the wrong scope (e.g., assigned on resource group A but the resource is in resource group B), or the role exists but was deleted and re-created under a different object ID.
Step 2: Grant the missing RBAC role
Identify the specific action that was denied from the error message. Look up which built-in role includes that action using the Azure RBAC documentation or the CLI.
# Find which built-in roles contain a specific action
az role definition list \
--query "[?contains(permissions[0].actions, 'Microsoft.Storage/storageAccounts/write')].{Name:roleName}" \
--output table
# Assign the Storage Account Contributor role to a user on a specific resource group
az role assignment create \
--assignee user@company.com \
--role "Storage Account Contributor" \
--scope /subscriptions/SUB_ID/resourceGroups/myRG
# Assign a role to a managed identity (useful for fixing service-to-service errors)
az role assignment create \
--assignee-object-id $(az webapp identity show --name myWebApp --resource-group myRG --query principalId -o tsv) \
--assignee-principal-type ServicePrincipal \
--role "Storage Blob Data Reader" \
--scope /subscriptions/SUB_ID/resourceGroups/myRG/providers/Microsoft.Storage/storageAccounts/myStorageRBAC assignments take up to 10 minutes to propagate in Azure. If you have just granted a role and the error persists, wait 5–10 minutes and retry before investigating further. For the Azure CLI, you can also run az logout && az login to force a token refresh.
Step 3: Check for Azure Policy denials
If the error code is RequestDisallowedByPolicy, the operation is allowed by RBAC but blocked by a policy assignment. The error message includes the policy assignment name and ID.
# List all policy assignments at the current scope
az policy assignment list \
--scope /subscriptions/SUB_ID/resourceGroups/myRG \
--query "[].{Name:displayName, Effect:parameters.effect.value}" \
--output table
# Get details of a specific policy assignment
az policy assignment show \
--name Deny-Public-Storage \
--scope /subscriptions/SUB_ID
# Check the policy definition to understand what is being denied
az policy definition show \
--name deny-public-blob-access \
--query "{DisplayName:displayName, Description:description, Rule:policyRule}"Once you understand what the policy is blocking, you have two options: modify your operation to comply with the policy (the preferred approach — the policy exists for a reason), or request an exemption through your organisation’s Azure governance process. Never delete a policy assignment to work around it without going through the correct approval process.
Step 4: Key Vault specific permission issues
Key Vault permission errors are a frequent source of confusion because Key Vault has two distinct authorization models and many teams mix them up.
# Check which authorization model the Key Vault uses
az keyvault show \
--name myKeyVault \
--resource-group myRG \
--query "properties.enableRbacAuthorization"
# Returns: true = RBAC model, false = Access Policy model
# If RBAC model: assign the appropriate data plane role
az role assignment create \
--assignee user@company.com \
--role "Key Vault Secrets User" \
--scope /subscriptions/SUB_ID/resourceGroups/myRG/providers/Microsoft.KeyVault/vaults/myKeyVault
# If Access Policy model: add the identity to the access policy
az keyvault set-policy \
--name myKeyVault \
--resource-group myRG \
--upn user@company.com \
--secret-permissions get list \
--key-permissions get list \
--certificate-permissions get listStep 5: Resource provider registration
A specific category of permission-like error occurs when attempting to create a resource whose resource provider is not registered in the subscription:
The subscription is not registered to use namespace 'Microsoft.ContainerService'.
(Code: MissingSubscriptionRegistration)This is not a permission error but appears similar in the CLI output. Fix it by registering the provider:
# Register a resource provider
az provider register --namespace Microsoft.ContainerService --wait
# Verify registration status
az provider show --namespace Microsoft.ContainerService --query registrationStateUsing the Activity Log for diagnosis
The Azure Activity Log records every management plane operation, including failed authorization attempts, with the full identity of the caller and the exact action that was attempted. This is invaluable for diagnosing intermittent permission errors or errors in automated pipelines where the error message may not be fully visible.
# View recent failed authorization events in a resource group
az monitor activity-log list \
--resource-group myRG \
--status Failed \
--offset 1h \
--query "[?authorization.action != null].{Time:eventTimestamp, Caller:caller, Action:authorization.action, Status:status.value}" \
--output tableCommon mistakes
- Assigning Owner role to fix permission errors. Owner is a very broad role that grants full management plane access. It is almost never the correct solution to a specific permission problem. Identify the exact action that is failing and assign the minimum role that includes it.
- Not waiting for RBAC propagation. Azure RBAC changes propagate through the distributed authorization system within a few minutes. Retrying immediately after granting a role will continue to fail. Wait 5–10 minutes before concluding that the role assignment did not work.
- Confusing management plane and data plane permissions. RBAC Contributor role grants management plane access (create/delete/configure resources) but does not grant data plane access (read/write actual data). Reading a blob requires Storage Blob Data Reader role, not Storage Account Contributor. These are separate permission layers on most Azure services.
Summary
- Read the error code first: AuthorizationFailed means RBAC gap; RequestDisallowedByPolicy means Azure Policy is blocking; Forbidden on Key Vault means data plane role or access policy is missing.
- Use az role assignment list to verify current assignments and their scopes before granting anything new.
- Wait 5–10 minutes after granting RBAC roles before retrying — propagation is not instant.
- Key Vault has two models: RBAC (requires data plane role) and Access Policy (requires policy entry). Check which model is active before adding permissions.
- Use the Activity Log to diagnose intermittent or pipeline permission errors with full caller and action details.
Frequently asked questions
How do I tell whether a permission error is caused by RBAC or Azure Policy?
RBAC errors return HTTP 403 with an error code of AuthorizationFailed and a message referencing the missing action (e.g., "does not have authorization to perform action Microsoft.Compute/virtualMachines/write"). Azure Policy denials return HTTP 403 with error code RequestDisallowedByPolicy and the message includes the policy definition display name and assignment ID. Check the error code field in the response to distinguish them.
I have Owner role on the subscription but I still get permission denied on a Key Vault. Why?
Key Vault uses its own access control system in addition to Azure RBAC. If the Key Vault was created with the legacy Access Policy model, Owner role does not grant access to secrets, keys, or certificates — you must also be added to the Key Vault Access Policy. If the Key Vault uses the RBAC authorization model, you need a Key Vault data plane role (Key Vault Secrets User, Key Vault Secrets Officer, etc.) in addition to management plane roles.
Can I preview what actions a user or service principal can take before running the actual command?
Yes. Use the az role assignment list --assignee command to list current RBAC assignments, and az rest with the /checkAccess endpoint to verify specific permissions programmatically. In the Azure portal, the Access Control (IAM) blade has a "Check access" tab that shows every role assignment for a user or service principal and the effective permissions they grant.