Skip to main content

Azure Write Permissions: Troubleshooting Errors

This guide helps you resolve common issues when configuring or using Spotto Azure write permissions.

Troubleshooting

Validation Failed

What you're seeing: Spotto shows a validation failure when configuring write permissions. Likely causes:

  • Application ID / Tenant ID / Secret value is incorrect.
  • The client secret has expired.
  • Roles are missing or assigned at the wrong scope.
  • Azure role assignment propagation delay. How to fix:
  1. Re-check the Application ID, Tenant ID, and secret value (not secret ID).
  2. Confirm the custom role is assigned at the subscription scope to the correct service principal.
  3. Wait 5–10 minutes and validate again.

Check Credentials

  • Verify the Application ID, Client Secret, and Tenant ID are correct
  • Ensure the client secret hasn't expired
  • Confirm you copied the entire client secret value (including any trailing characters)

Verify Role Assignments

  • Check that the custom role is assigned at the subscription level
  • Ensure the role is assigned to the correct service principal
  • Verify the custom role includes all required permissions for the features you enabled
  • See Custom Roles for the required permissions

Wait for Propagation

  • Azure can take a few minutes to propagate role assignments
  • Wait 5-10 minutes after assigning roles before validating in Spotto
  • Try the validation again after waiting

Check Service Principal Status

  • Go to Entra ID > App registrations in Azure Portal
  • Find your Spotto write access app
  • Ensure it's not disabled or deleted

Permission Denied

What you're seeing: Spotto reports permission errors when attempting write actions. Likely causes:

  • The service principal is missing required RBAC actions for the enabled feature(s).
  • Roles are assigned on the wrong subscription/scope.
  • Azure role propagation delay. How to fix:
  1. Compare your custom role actions to the required permissions for the feature.
  2. Verify role assignments on the correct subscription scope.
  3. Wait 5–10 minutes after role changes and try again.

Verify Custom Role Permissions

Check Subscription Assignment

  • Verify roles are assigned to the correct Azure subscription
  • If you have multiple subscriptions, ensure all relevant subscriptions have the role assigned
  • Check Access Control (IAM) for each subscription

Review Service Principal Status

  • Ensure the service principal is enabled and not disabled
  • Verify the service principal exists in Azure Portal

Check Azure Activity Log

  • Go to Subscriptions > Activity Log in Azure Portal
  • Filter by Caller and select your Spotto write access service principal
  • Look for specific error messages that can help identify the issue

Missing Permissions

Review Required Permissions

Verify Role Assignment Location

  • Ensure roles are assigned at the subscription level, not resource group level
  • Navigate to Subscriptions > Access Control (IAM) to verify

Check Custom Role Actions

  • If using custom roles, verify all required actions are included
  • Compare your custom role with the template provided in Spotto Portal
  • See Custom Roles for detailed action lists

Check Azure Policies

  • Ensure no Azure Policies are blocking the actions
  • Review policies at subscription and management group levels
  • Look for deny policies that might override role assignments

Client Secret Expired

What you're seeing: Validation or actions fail with expired credential errors. Likely causes: The client secret expired or the old secret was rotated without updating Spotto. How to fix:

  1. Create a new client secret in Entra ID and copy the value immediately.
  2. Update the credential in Spotto and re-run validation.
  3. Delete the old secret after confirming the new one works.

Update Client Secret

  1. Go to Entra ID > App registrations in Azure Portal
  2. Select your Spotto write access app
  3. Go to Certificates & secrets
  4. Create a new client secret
  5. Copy the new secret value
  6. Update credentials in Spotto Portal
  7. Click Validate Credentials
  8. Delete the old expired secret in Azure

Set Expiry Reminders

  • Set calendar reminders before secrets expire
  • Configure Azure alerts for expiring secrets
  • Use shorter expiry periods (e.g., 12 months) to ensure regular rotation

Actions Not Taking Effect

Verify Permissions Are Enabled

  • Ensure you've enabled the specific permission in Spotto Portal
  • Check the toggles for each write permission type
  • Save the configuration after enabling permissions

Check Configuration

  • Verify you're using the correct credentials (same vs. separate)
  • If using separate credentials, ensure they're configured correctly
  • Review your configuration setup

Review Write Access Toggle

  • Ensure the main "Enable write permissions" toggle is turned on
  • Check that credentials are validated successfully

Test Individual Actions

  • Try dismissing a single recommendation in Spotto
  • Run Test Connection for inventory analysis on a single storage account
  • Check Azure Portal to verify the action took effect

Unable to Assign Roles

Check Your Azure Permissions

  • You need Owner or User Access Administrator role on the subscription
  • Verify your own role assignments in Subscriptions > Access Control (IAM)

Check for Azure Policies

  • Some organizations have policies that restrict role assignments
  • Contact your Azure administrator if you can't assign roles

Verify Service Principal Exists

  • Ensure the service principal was created successfully
  • Check Entra ID > App registrations to confirm

Need More Help?

If you're still experiencing issues:

  1. Check Azure Activity Logs for detailed error messages
  2. Review all configuration steps in the Configuration guide
  3. Verify security settings in Security Best Practices
  4. Contact Support - Contact Us with:
    • Error messages from Spotto Portal
    • Azure Activity Log entries showing the issue
    • Screenshots of role assignments
    • Subscription ID and service principal Application ID

For further assistance, please Contact Us.