The error “User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/X ” can be fixed using these steps:
- First determine who the user or principal trying to read Microsoft.Subscription/aliases is.
- Next as an Azure AD Global Administrator run Azure Resource Elevation process ( https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal) so you have “User Access Administrator” permissions at the “/” scope
- Finally, using Azure PowerShell or Azure CLI cmds, add the user or principal referenced in the error to the Reader role at the root “/” scope as shown below.
# Azure PowerShell Example: New-AzRoleAssignment -ObjectId 1bc23456-2456-4a8a-8b9a-c327f407d41e -Scope / -RoleDefinitionName "Reader"
# Azure CLI Example: az role assignment create --role Reader --assignee 1bc23456-2456-4a8a-8b9a-c327f407d41e --scope /
NOTE: In the above example “1bc23456-2456-4a8a-8b9a-c327f407d41e” is the Azure AD Object ID of the user or service principal who received the error. Find this value with Get-AzAdUser / Get-AzAdServiceprincipal or az ad user / az ad sp cmds.