Forum Discussion

Mina-Thabet's avatar
Mina-Thabet
MCT
Oct 12, 2025

Azure Local

i am trying to install Azure local on nested Hyper-V VM as test environment, 1 DC, 1 HCI VM and unfortunately  i am stuck with an error:

 "Type 'ValidateArcIntegration' of Role 'EnvironmentValidator' raised an exception: { "ExceptionType": "text", "ErrorMessage": "The provided account MSI@50342 does not have access to subscription ID \"7187cfd2-689c-4918-b43b-6e767d2bc1eb\". Please try logging in with different credentials or a different subscription ID. If a subscription is not specified, please check the configs by `Get-AzConfig`"

 

 

2 Replies

  • Chris_toffer0707's avatar
    Chris_toffer0707
    Iron Contributor
    Oct 17, 2025

    Please make sure all resource providers are enabled on the subscription:

    Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridCompute" Register-AzResourceProvider -ProviderNamespace "Microsoft.GuestConfiguration" Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridConnectivity" Register-AzResourceProvider -ProviderNamespace "Microsoft.AzureStackHCI" Register-AzResourceProvider -ProviderNamespace "Microsoft.Kubernetes" Register-AzResourceProvider -ProviderNamespace "Microsoft.KubernetesConfiguration" Register-AzResourceProvider -ProviderNamespace "Microsoft.ExtendedLocation" Register-AzResourceProvider -ProviderNamespace "Microsoft.ResourceConnector" Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridContainerService" Register-AzResourceProvider -ProviderNamespace "Microsoft.Attestation" Register-AzResourceProvider -ProviderNamespace "Microsoft.Storage" Register-AzResourceProvider -ProviderNamespace "Microsoft.Insights"


    On subscription:

    Assign the following role permissions to the user who deploys the instance:

    • Reader
    • Azure Stack HCI Administrator


    On resource group:

    As you register machines as Arc resources, make sure that you're either the resource group owner or have the following permissions on the resource group where the machines are provisioned:

    • Azure Connected Machine Onboarding.
    • Azure Connected Machine Resource Administrator.
    • Key Vault Data Access Administrator: This permission is required to manage data plane permissions to the key vault used for deployment.
    • Key Vault Secrets Officer: This permission is required to read and write secrets in the key vault used for deployment.
    • Key Vault Contributor: This permission is required to create the key vault used for deployment.
    • Storage Account Contributor: This permission is required to create the storage account used for deployment.


    Your user should also have "Cloud Application Administrator" role in Entra ID

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Oct 13, 2025

    Try this:

     

    1. Verify Subscription Access

    Make sure the MSI or the account you're using has Contributor or Owner access to the subscription:

    • Go to Azure Portal
    • Navigate to Subscriptions
    • Select the subscription ID
    • Under Access Control (IAM), check if the MSI or user account is listed with proper permissions
    1. Use Correct Credentials

    If you're using a service principal or MSI:

    • Try logging in with a user account that has access
    • Run Connect-AzAccount and ensure you're authenticated to the correct subscription
    1. Check Active Subscription

    Run this in PowerShell to confirm your active subscription:

    Get-AzContext

    If it's not the correct one, switch using:

    Set-AzContext -SubscriptionId "7187cfd2-689c-4918-b43b-6e767d2bc1eb"

     

    1. Inspect Configuration

    Run:

    Get-AzConfig

    This will show if your environment is pointing to the correct subscription and tenant.

    1. Retry Validation

    Once access is confirmed, go back to the Azure Local deployment wizard and retry the validation step.

Resources