The Azure Subscription doesn’t have permissions to register the resource provider(s).

At times when you are provided access to new azure subscription and you try to provision resources in Azure, you receive an error stating that service principal is not registered as outlined in the diagram below.

ServicePrincipal

It may seem that, some resources require access to the subscription level to be able to create these resources and that ‘owner’ rights on a resource group level is not sufficient. That is not true.This occurs due to the fact that Resource providers are registered on the level of the subscription only for example if you will provision a Analysis Server, you need to have a ‘Microsoft.AnalysisServices’ resource provider available in the subscription first before you can do that.

By default, any new azure subscription will be pre-registered with a list of commonly used resource providers. The resource provider for IoTHub for instance, is not one of them.

When a user is granted owner rights only on a specific resource group, if that user tries to provision a resource that requires registering a resource provider for the first time, that operation will fail. That is what happened in our case above when trying to provision Analysis Server.

So the bottom line is, we *DO NOT* need to grant access permissions to the subscription level for users to be able to create resources like HDInsight, IotHub and SQLDW …etc within their resource groups that they have owner rights on, as long as the resource providers for these resources is already registered.

To get a list of registered resource providers in the current subscription run the following command:

get-AzureRmResourceProvider -ListAvailable |where {$_.Registrationstate -eq “Registered”}

Resolution:

These issues occur in new Azure subscriptions and it happens because the service principals are not registered and there are three workarounds to fix the Issue:

  1. Provide Subscription level Contributor access to the user provisioning the resources. (Not Recommended)
  2. Create a custom role in power shell and assign the user to that role to provision resources.
  3. Register service Principals (Recommended)

For approach#3, since in the above screen shot we receive an error that “Analysis Services” Provider is not registered, following command can be executed in power shell to register the Provider and fix the issue

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.AnalysisServices

To register all available resource providers in the current subscription run the following PowerShell command:

get-AzureRmResourceProvider -ListAvailable | foreach-object{Register-AzureRmResourceProvider -ProviderNamespace $_.ProviderNamespace}

 

There are other commands listed in the following article to access the status of resource providers:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.