AZURE
SubscriptionNotFound - Subscription Not Found: Invalid GUID or Access Denied
ARM can't find the subscription—either the GUID format is wrong, the subscription was cancelled/deleted, or you lack Reader role (ARM returns 404 instead of 403 to avoid revealing subscription existence). This 404 client-side error means ARM validated the GUID format, then either couldn't locate it or determined you don't have access. Subscriptions enter "Cancelled" state due to payment failures or expired trials, then get permanently deleted after a grace period. Cross-tenant access requires explicit B2B configuration. Affects all operations: VMs, AKS clusters, Azure SQL, App Service.
#Common Causes
- →Invalid Subscription GUID: The subscription ID doesn't match the UUID pattern (36 characters with hyphens: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). Common mistakes include missing segments, wrong length, or typos in the GUID.
- →Cancelled or Deleted Subscription: Subscriptions enter "Cancelled" state due to payment failure, expired trial, or manual deletion. Cancelled subscriptions have a grace period before permanent deletion, but the duration varies. During this period, the subscription exists but isn't accessible.
- →Missing Reader Role: Your authenticated principal (user, service principal, or managed identity) doesn't have Reader role (or any role) assigned at the subscription scope. ARM returns 404 instead of 403, so you can't distinguish between "subscription doesn't exist" and "you don't have access".
- →Cross-Tenant Access: The subscription belongs to a different Azure AD tenant, and you haven't been granted access. Simply authenticating with a token from another tenant doesn't grant access—you must be explicitly invited or have B2B configured.
✓Solutions
- 1Step 1: Diagnose - Verify subscription GUID format matches UUID pattern: az account show --subscription <sub-id> --query "{state:state, id:id, tenantId:tenantId}" --output table
- 2Step 2: Diagnose - Check subscription state: az account show --subscription <sub-id> --query "{state:state, name:name}" --output table
- 3Step 3: Diagnose - Check your role assignments at subscription scope: az role assignment list --assignee <your-principal-id> --scope /subscriptions/<sub-id> --query "[].roleDefinitionName" --output table
- 4Step 4: Diagnose - Verify tenant context: az account show --query "{tenantId:tenantId, subscriptionId:id}" --output table
- 5Step 5: Fix - If subscription GUID is invalid, use the correct format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (36 characters with hyphens).
- 6Step 6: Fix - If subscription is cancelled, reactivate it (if possible) or use a different subscription.
- 7Step 7: Fix - Grant Reader role at subscription scope: az role assignment create --assignee <your-principal-id> --role Reader --scope /subscriptions/<sub-id>
- 8Step 8: Verify - Wait 5-10 minutes for role propagation, then retry: az account show --subscription <sub-id> --output table
</>Code Examples
Subscription Access Diagnosis
1# This script helps diagnose SubscriptionNotFound errors
2
3# Step 1: Get current subscription context
4echo "Checking current subscription..."
5az account show --query "{subscriptionId:id, name:name, tenantId:tenantId, state:state}" --output table
6
7# Step 2: Example subscription ID (replace with your actual subscription ID)
8SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
9echo "Checking subscription: $SUBSCRIPTION_ID"
10
11# Step 3: Verify subscription GUID format (should be 36 characters with hyphens)
12if [[ ! $SUBSCRIPTION_ID =~ ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$ ]]; then
13 echo "ERROR: Invalid subscription GUID format"
14 echo "Expected format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
15 exit 1
16fi
17echo "Subscription GUID format is valid"
18
19# Step 4: Try to show subscription details
20if az account show --subscription $SUBSCRIPTION_ID --query "{state:state, name:name, id:id}" --output table 2>&1; then
21 echo "Subscription found and accessible"
22else
23 echo "Subscription not found or not accessible. Continuing diagnosis..."
24fi
25
26# Step 5: Check subscription state
27SUBSCRIPTION_STATE=$(az account show --subscription $SUBSCRIPTION_ID --query state -o tsv 2>/dev/null)
28if [ ! -z "$SUBSCRIPTION_STATE" ]; then
29 echo "Subscription state: $SUBSCRIPTION_STATE"
30 if [ "$SUBSCRIPTION_STATE" == "Cancelled" ] || [ "$SUBSCRIPTION_STATE" == "Deleted" ]; then
31 echo "WARNING: Subscription is cancelled or deleted"
32 fi
33fi
34
35# Step 6: Get your principal ID
36CURRENT_USER=$(az account show --query user.name -o tsv)
37echo "Current user: $CURRENT_USER"
38
39# Step 7: Check role assignments at subscription scope
40echo "Checking role assignments at subscription scope..."
41az role assignment list \
42 --assignee $CURRENT_USER \
43 --scope /subscriptions/$SUBSCRIPTION_ID \
44 --query "[].{role:roleDefinitionName, scope:scope}" \
45 --output table
46
47# Step 8: List all accessible subscriptions
48echo "Listing all accessible subscriptions..."
49az account list --query "[].{subscriptionId:id, name:name, state:state}" --output table
50
51# Step 9: Check tenant context
52echo "Checking tenant context..."
53CURRENT_TENANT=$(az account show --query tenantId -o tsv)
54SUBSCRIPTION_TENANT=$(az account show --subscription $SUBSCRIPTION_ID --query tenantId -o tsv 2>/dev/null)
55if [ ! -z "$SUBSCRIPTION_TENANT" ]; then
56 echo "Current tenant: $CURRENT_TENANT"
57 echo "Subscription tenant: $SUBSCRIPTION_TENANT"
58 if [ "$CURRENT_TENANT" != "$SUBSCRIPTION_TENANT" ]; then
59 echo "WARNING: Tenant mismatch - cross-tenant access may be required"
60 fi
61fi↗Related Errors
Provider Information
This error code is specific to AZURE services. For more information, refer to the official AZURE documentation.