May 022022

The error “User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/X ” can be fixed using these steps:

  1. First determine who the user or principal trying to read Microsoft.Subscription/aliases is.
  2. Next as an Azure AD Global Administrator run Azure Resource Elevation process ( so you have “User Access Administrator” permissions at the “/” scope
  3. Finally, using Azure PowerShell or Azure CLI cmds, add the user or principal referenced in the error to the Reader role at the root “/” scope as shown below.
# Azure PowerShell Example:
New-AzRoleAssignment -ObjectId 1bc23456-2456-4a8a-8b9a-c327f407d41e -Scope / -RoleDefinitionName "Reader"

# Azure CLI Example:
az role assignment create --role Reader --assignee 1bc23456-2456-4a8a-8b9a-c327f407d41e --scope /

NOTE: In the above example “1bc23456-2456-4a8a-8b9a-c327f407d41e” is the Azure AD Object ID of the user or service principal who received the error. Find this value with Get-AzAdUser / Get-AzAdServiceprincipal or az ad user / az ad sp cmds.