Search code examples

VSTS deployment fails with "Authorization failed for ... of type 'Microsoft.Storage/storageAccounts/providers/locks'"

I'm deploying an ARM template with VSTS which contains a lock (in my case lock on a Storage Account for a Function App)

    "parameters": {
        "name": {
            "type": "string"
        "storageName": {
            "type": "string"
        "location": {
            "type": "string"
    "resources": [
            "apiVersion": "2015-05-01-preview",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageName')]",
            "location": "[parameters('location')]",
            "properties": {
                "accountType": "Standard_LRS"
            "resources": [
                    "type": "Microsoft.Storage/storageAccounts/providers/locks",
                    "name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
                    "apiVersion": "2015-01-01",
                    "dependsOn": [
                        "[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
                    "properties": {
                        "level": "CannotDelete",
                        "notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'."

That just works fine when deploying from VS or from command line with my credentials. However when deploying from a VSTS release definition, the deployment fails with:

Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{
  "error": {
    "code": "InvalidTemplateDeployment",
    "message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'."

When I remove the Microsoft.Storage/storageAccounts/providers/locks section from the template, the VSTS deployment works. But then the storage account would bear no lock preventing a deletion.


  • Contributor role - which is assigned when VSTS creates the Service Principal in the AAD connected to the Resource Groups Subscription - is not sufficient for placing the lock. Assign Owner and the lock can be placed with the VSTS deployment process.