Insufficient permissions to… while being an owner!

Lately, I banged my head on an access rights issue.  I was automating an Azure governance through Azure CLI, which included the management group and subscription hierarchy.  My Azure DevOps service principal was owner of the root management group, because it had to deal with automated role assignments etc…

The problem

When I tried to remove a subscription from a management group
az account management-group subscription remove,

I got this exception: Permission to write and delete on resources of type ‘Microsoft.Authorization/roleAssignments’ is required on the subscription or its ancestors.

But hey… I was running under the owner account!

The solution

After a “while”, I found a pointer in this interesting article.  It states:

If you attempt to remove the last Owner role assignment for a subscription, you might see the error “Cannot delete the last RBAC admin assignment.” Removing the last Owner role assignment for a subscription is not supported to avoid orphaning the subscription.

This sentence pushed me into the right direction:

  • There was currently no owner assigned on the subscription itself
  • However, there was an owner inherited by the parent management group
  • By trying to remove the subscription from its management group, we would end-up with an orphaned subscription

By adding an owner on the subscription itself, the issue was resolved.

This issue took me a few hours and some grey hairs, so I hope I can save you some trouble by sharing this!

Cheers
Toon

UPCOMING TRAININGS

CHECK OUT OUR TRAININGS

ABOUT

MEET THE YOUR AZURE COACH TEAM

Your Azure Coach is specialized in organizing Azure trainings that are infused with real-life experience. All our coaches are active consultants, who are very passionate and who love to share their Azure expertise with you.