Missing resources, wrong scope, lifecycle drift, and state mismatches.
Last reviewed: February 13, 2026|52 mapped errors|Page 2 of 4
Resource-state errors appear when identifiers, region or account scope, lifecycle state, or consistency timing do not match request assumptions.
Provider-specific error pages mapped to this category (52 total). Showing 16-30.
Microsoft Entra or Microsoft Graph returns group-not-found responses when the target group object cannot be resolved in the current tenant directory.
Microsoft Entra or Microsoft Graph returns `AADServicePrincipalNotFound` when the requested service principal object cannot be resolved in the active tenant.
Microsoft Entra ID returns `AADSTS700016` when the client application identifier cannot be found in the target tenant directory.
Microsoft Entra or Microsoft Graph returns user-not-found responses when the referenced user object cannot be resolved in the active tenant.
Azure Resource Manager returns `AuthorizationFailed` when the authenticated principal lacks permission for the requested action at the target scope.
Azure Blob service returns `BlobNotFound` (404) when the specified blob path does not exist in the addressed container.
Azure Storage returns `ConditionNotMet` when conditional headers fail; writes typically return HTTP 412 Precondition Failed.
Azure Blob service returns `ContainerNotFound` (404) when the specified blob container does not exist.
ARM returns `InvalidResourceReference` when a referenced resource is missing or referenced with an incorrect identifier/path.
Azure Blob service returns `LeaseIdMissing` when an operation requiring an active lease ID is sent without that lease header.
ARM returns `ResourceGroupNotFound` when the target resource group does not exist in the active subscription context.
Azure returns `ResourceModified` when a conditional update targets a stale resource version that changed after it was read.
Azure Resource Manager returns `ResourceNotFound` when it cannot locate the requested resource in the active subscription and resource group context.
ARM returns `StorageAccountNotFound` when the referenced storage account name, resource group, or subscription context does not resolve.
Azure returns `Unauthorized` (401) when request authentication is missing, invalid, expired, or mismatched for the target endpoint.
Compare Guide
Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.
Compare Guide
Learn when to return 404 (missing or temporary absence) versus 410 (intentional permanent removal), including redirect and cache implications.
Playbook
Use this playbook to separate temporary missing-resource lookups from permanent removals, then fix scope, lifecycle, and identifier drift safely.
Temporary 404s often resolve after propagation or deployment completion, while permanent removals are typically explicit lifecycle events (for example 410 semantics).
Many control planes are eventually consistent. Read-after-write visibility can lag and briefly return not-found responses.
Confirm exact scope and identifier tuple: resource name, region, account/subscription/project, and parent container.