Fix Users must have at least permission on these subscriptions
In this article, we shall discuss “how to fix users must have at least permission on these subscriptions”. This error was prompted when onboarding M365, Azure and Entra ID to Veeam Data Cloud (VDC) as discussed here “A-Z on Veeam Data Cloud: Workload Enrollment and Onboarding“. Veeam Data Cloud is a fully managed SaaS platform for data resilience. It provides backup, recovery, and protection for cloud-native workloads without needing your own infrastructure. Please see how to fix Error 401 Permission denied for invalid PVE ticket.
VDC unifies management across multiple services via a single UI, leveraging Veeam’s core backup tech for security and scalability.
Please see How to uninstall GitLab Runner from your Windows device, how to create a Windows Server reference image using WDS, and how to move Azure Resources between Subscriptions.
Why was the error “Microsoft Authorisation/roleAssignments/write permission needed” prompted?
As you can see, “the error occurred because the current user account lacks the Microsoft.Authorisation/roleAssignments/write permission.
This authority is needed to protect Azure resources by assigning roles at the selected subscription scope.
This is common in Azure setups for delegated management, as it is for VDC. Where the managing tenant needs elevated permissions on the customer tenant’s subscription.
Furthermore, you can see that the client does not right authority
To fix this, first, let us toggle the security defaults (Azure Management for Azure Resources to enabled).
Note: Security defaults are pre-configured protections (free in all Entra ID tiers) that enforce MFA for all users/admins, block legacy authentication, and protect Azure portal access.
Quick fix to you must have at least permission on these subscriptions
The permissions to assign were clearly spelt out in the error message above. Since this is my admin account.
I will assign the role of an “Owner” or, in your case, a “User Access Administrator” role on the target subscription. These include the required write permission.
To do this, navigate to the Azure Portal > Subscriptions > Access control (IAM) > Add role assignment as shown below.
Select “Owner” under roles as shown below
Ensure this role is assigned to the individual account.
To do this, we will have to select the users and click on save.
These are the members with the needed rights as owners, and click Next.
Under the condition, ensure to select “Allow Users to assign all roles (highly privileged). This is okay for my lab environment. You can go with the recommended approach and click on Next.
At the Review and Assign window, click on “Review and Assign”.
We have successfully assigned the Owner role to the account. If you wish to verify with PowerShell as well, you can run the cmdlet below.
Get-AzRoleAssignment -SignInName your@email.com
Now, you should be able to onboard the Azure Tenant into Veeam Data Cloud without issues.
I hope you found this article on how to Fix Users must have at least permission on these subscriptions very useful. Please, feel free to leave a comment below.
