Share via

Not enough permissions to deploy Azure Resource Manager

Mansahaj Popli 0 Reputation points
2025-08-11T20:54:16.6166667+00:00

I am trying to integrate Azure APIM with Stripe following this link: https://github.com/microsoft/azure-api-management-monetization/blob/main/documentation/stripe-deploy.md
However, I am not able to deploy 'Deploy the Azure monetization resources' step as I run into an issue when I am trying to deploy to Azure. User's image

<code style="white-space: pre-wrap"><div>Deployment failed with multiple errors: 'Authorization failed for template resource '8f4e1cf9-9344-5889-ad33-1c15dd633351' of type 'Microsoft.Authorization/roleAssignments'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Authorization/roleAssignments/8f4e1cf9-9344-5889-ad33-1c15dd633351'.:Authorization failed for template resource 'apim-stripe-demo-plan' of type 'Microsoft.Web/serverfarms'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/serverfarms/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/serverfarms/apim-stripe-demo-plan'.:Authorization failed for template resource 'apim-stripe-demo-app' of type 'Microsoft.Web/sites'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/sites/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/sites/apim-stripe-demo-app'.:Authorization failed for template resource 'apim-stripe-demo-app/appsettings' of type 'Microsoft.Web/sites/config'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/sites/config/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/sites/apim-stripe-demo-app/config/appsettings'.'</div><br> (Code: InvalidTemplateDeployment)</code>
This is the error I am running into. Could you please tell me what the admin of this account should do to give me enough permissions.
This could be:

  1. A list of instructions they need to follow or
  2. A powershell script to grant mmyuser id the access I need
Azure Resource Mover
Azure Resource Mover
An Azure service used for moving multiple resources between Azure regions.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 36,031 Reputation points MVP Volunteer Moderator
    2025-08-12T00:53:55.9+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    The deployment is failing because your account does not have the permissions to:

    Assign roles (Microsoft.Authorization/roleAssignments/write)

    Create or update App Service Plans (Microsoft.Web/serverfarms/write)

    Create or update App Services (Microsoft.Web/sites/write)

    Update App Service settings (Microsoft.Web/sites/config/write)

    In Azure, these actions require Contributor or Owner permissions at the subscription or resource group level (and in the case of role assignments, you also need User Access Administrator rights).

    Admin should:

    1. Grant you the required roles at the right scope
      • Scope: Either at the subscription level or at the specific resource group (apim-resource) where you are deploying.
      • Roles required:
      • Contributor - lets you create/update resources like App Service Plans, App Services, configs.
      • User Access Administrator - lets you assign roles during the deployment.
    2. Contributor - required to create/update Azure resources during the ARM template deployment.
    3. User Access Administrator - required because your template is also creating role assignments for service principals. Without this, deployment will fail even if you have Contributor.

    Option 1 -> Azure Portal

    1. Go to Azure Portal > Subscriptions > select the subscription you are using.
    2. In the left menu, click Access control (IAM).
    3. Click Add > Add role assignment.
    4. Search for and assign:
      • Contributor role to your user (******@aem.eco)
      • User Access Administrator role to your user
    5. Set Scope to:
      • Subscription level (best if you will do multiple deployments), or
      • Resource group level (apim-resource) if they want to limit your access.

    Option 2 -> Using Powershell

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.