Search code examples
azureazure-rbacazure-alerts

Azure Alert Access Denied: "You are not authorized to perform access alert/read over scope SubB/RG/alerts"

I am experiencing a permissions issue with Azure alerts that I cannot resolve. Here are the details of my setup:

Subscription A: Contains a log-based alert.

Subscription B: Contains a Log Analytics Workspace (LAW) that the alert in Subscription A uses.

User Roles: I have Contributor access on both Subscription A and Subscription B. My colleague has Contributor and Reader access on Subscription A (where the alert is) and Log Analytics Contributor and Log analytic reader access to the LAW in Subscription B.

Issue: When my colleague receives an email notification for the alert and clicks the "View Alert Details" button, they encounter the following error message:

You are not authorized to perform access alert/read over scope SubB/RG/alerts or the scope is invalid.

Observations:

  • I can access the alert details without any issues, as I also have contributor access for both subscriptions.
  • My colleague has been assigned the Log Analytics Contributor and Log Analytics Reader role on the LAW resource in Subscription B, but they still receive the same error.
  • The alert itself is not in Subscription B; it resides in Subscription A, which adds to the confusion regarding the error message.

Questions:

  1. What does the error message specifically indicate regarding permissions?
  2. Why is the error referencing SubB/RG/alerts when the alert is in Subscription A?
  3. What specific permissions are required for my colleague to view the alert details?
  4. Are there any additional roles or configurations that need to be checked to resolve this issue?

Any insights or guidance on how to resolve this issue would be greatly appreciated! Thank you.

Solution

  • Azure Alert Access Denied: "You are not authorized to perform access alert/read over scope SubB/RG/alerts"

    The error you encountered due to insufficent permission on Subscription B to view the cross-linked resources like alerts.even though your colleague has role at Subscription A, such as Log Analytics Contributor and Log Analytics Reader, these roles do not automatically grant full access to all associated Azure Monitor components (such as linked alerts).

    To fix the issue, you can assign Monitoring Reader role at the subscription level in both Subscription A and Subscription B . This role is specifically designed for viewing Azure Monitor data, including cross-linked resources like alerts..

    enter image description here

    Reference: Monitoring Reader