The automation account has owner at the tenant root group as well as management group contributor. I am trying to create a script that moves subscriptions to a management group with the path tenant/root/students and am testing it by moving one specific subscription.
X is the automation account principal ID
Y is the id of the subscription I am trying to move
This is the error I am facing:
The client X with object id X does not have authorization to perform action 'Microsoft.Management/managementGroups/root/subscriptions/write' over scope '/providers/Microsoft.Management/managementGroups/tenant/root/students/subscriptions/Y
The automation account has owner at the tenant root group as well as management group contributor. I am trying to create a script that moves subscriptions to a management group with the path tenant/root/students and am testing it by moving one specific subscription.
X is the automation account principal ID
Y is the id of the subscription I am trying to move
This is the error I am facing:
The client X with object id X does not have authorization to perform action 'Microsoft.Management/managementGroups/root/subscriptions/write' over scope '/providers/Microsoft.Management/managementGroups/tenant/root/students/subscriptions/Y
Share Improve this question asked Mar 25 at 15:28 user30057956user30057956 11 Answer
Reset to default 0The client X with object id X does not have authorization to perform action 'Microsoft.Management/managementGroups/root/subscriptions/write' over scope '/providers/Microsoft.Management/managementGroups/tenant/root/students/subscriptions/Y
In general, the above error says that the resource or subscription does not have write permissions on the management group scope provided.
To move subscriptions or management group to target management groups, the management group being moved and the target management group has to have the management group write and authorization to write permissions which is clearly detailed in the MSDoc.
Though you are a Global Administrator for the account directory, you need to check the below path and verify if the access management is enabled.
Path: Microsoft Entra ID >> Properties
Alternatively, you can elevate access to the global administrator account by providing User Access Administrator role at root scope.
This you to view all resources and assign access in any subscription or management group in the tenant.
Also, verify if you have added "Management Group contributor" to the automation account resource if you are looking for that specific resource as shown below.