[WebToolsE2E]Can't delete resource group use command "az group delete --name <your-resource-group-name>"

[Susie-1989]

INSTALL STEPS

1. Clean machine: Win11 x64 23h2 ENU
2. Install az from https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli#install-or-update

REPRO STEPS

1. Open command prompt window as admin
2. Run "az login"
3. Run "az group delete --name rg-susie101" to delete existing resource groups

Related command

az group delete --name rg-susie101

ACTUAL: It show "don't have authorization to delete resource group.

(AuthorizationFailed) The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.

Issue script & Debug output

cli.knack.cli: Command arguments: ['group', 'delete', '--name', 'rg-susie101', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x00000275CB47B880>, <function OutputProducer.on_global_arguments at 0x00000275CB606020>, <function CLIQuery.on_global_arguments at 0x00000275CB633BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'group': ['azure.cli.command_modules.resource']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: resource                  0.207        51       228
cli.azure.cli.core: Total (1)                 0.207        51       228
cli.azure.cli.core: Loaded 51 groups, 228 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : group delete
cli.azure.cli.core: Command table: group delete
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000275CE4D2020>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\v-yuwzh\.azure\commands\2024-05-10.08-19-15.group_delete.3648.log'.
az_command_data_logger: command args: group delete --name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x00000275CE516480>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x00000275CE5504A0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x00000275CE5505E0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000275CB6060C0>, <function CLIQuery.handle_query_parameter at 0x00000275CB633C40>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x00000275CE550540>]
Are you sure you want to perform this operation? (y/n): y
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ResourceManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\v-yuwzh\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\v-yuwzh\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: a2c1233d-619f-4564-9e88-b144821d9924
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101?api-version=2022-09-01'
cli.azure.cli.core.sdk.policies: Request method: 'DELETE'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': 'fd564342-0ea5-11ef-a425-002248b853cb'
cli.azure.cli.core.sdk.policies:     'CommandName': 'group delete'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--name --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.60.0 (MSI) azsdk-python-core/1.28.0 Python/3.11.8 (Windows-10-10.0.22631-SP0)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "DELETE /subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101?api-version=2022-09-01 HTTP/1.1" 403 427
cli.azure.cli.core.sdk.policies: Response status: 403
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '427'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-failure-cause': 'gateway'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'af00dcf4-9a14-4e80-bbac-2515b908f471'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'af00dcf4-9a14-4e80-bbac-2515b908f471'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTUS2:20240510T081924Z:af00dcf4-9a14-4e80-bbac-2515b908f471'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: 8CA43F9C40734392B7FBD83A9FFBE997 Ref B: CO6AA3150219053 Ref C: 2024-05-10T08:19:24Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Fri, 10 May 2024 08:19:23 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"AuthorizationFailed","message":"The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/resource/resources/v2022_09_01/operations/_operations.py", line 11598, in begin_delete
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/resource/resources/v2022_09_01/operations/_operations.py", line 11553, in _delete_initial
azure.core.exceptions.HttpResponseError: (AuthorizationFailed) The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.

cli.azure.cli.core.azclierror: (AuthorizationFailed) The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
az_command_data_logger: (AuthorizationFailed) The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client 'v-yuwzh@microsoft.com' with object id 'd223ef9e-8a79-41cb-9eba-88aea20e8fc8' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/delete' over scope '/subscriptions/11c6037b-227b-4d63-bee1-18c7b68c3a40/resourcegroups/rg-susie101' or the scope is invalid. If access was recently granted, please refresh your credentials.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000275CE4D22A0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 9.543 seconds (init: 0.547, invoke: 8.997)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4467 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\v-yuwzh\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

EXPECTED Can delete the resource groups"rg-susie101"

** Environment Summary**

C:\Windows\System32>az --version
azure-cli                         2.60.0

core                              2.60.0
telemetry                          1.1.0

Dependencies:
msal                              1.28.0
azure-mgmt-resource             23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\v-yuwzh\.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb  6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

C:\Windows\System32>

Additional context

1. when do the scenarios in Deploy a .NET Aspire app to Azure Container Apps document meet this issue.
   

2. Can delete the resource groups by select "Delete resource group" in page
   

[azure-client-tools-bot-prd]

Hi @v-yuwzh
Find similar issue #28354.

Issue title	“az role definition delete” could not delete custom role when user only have permission on the Resource Group
Create time	2024-02-12
Comment number	0

---

Please confirm if this resolves your issue.

[yonzhan]

Thank you for opening this issue, we will look into it.