@Jose-Paolo Roldan The principal deploying the template must have permissions to create resources at the tenant scope. The principal must have permission to execute the deployment actions (Microsoft.Resources/deployments/*
) and to create the resources defined in the template. For example, to create a management group, the principal must have Contributor permission at the tenant scope. To create role assignments, the principal must have Owner permission.
The Global Administrator for the Microsoft Entra ID doesn't automatically have permission to assign roles. To enable template deployments at the tenant scope, the Global Administrator must do the following steps:
- Elevate account access so the Global Administrator can assign roles. For more information, see Elevate access to manage all Azure subscriptions and management groups. (Seems you have already done this).
- Kindly assign Owner or Contributor to the principal that needs to deploy the templates.
az role assignment create --assignee "[userId]" --scope "/" --role "Owner"
The principal now has the required permissions to deploy the template.