I was trying to create a new resource group on Azure using a Shell script. An app registration was created followed by assigning the 'Contributor' role to the Service Principal. However, the az group create command repeatedly returned 403 Client errors.
Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://management.azure.com/subscriptions/<subscription id>/resourcegroups/rg-internal?api-version=2018-05-01
We suspected Service Principal permission issues and even elevated it as owner but that didn't help. Next, I tried using my personal account with contributor permissions to create the resource group but even that failed. That's when I suspected something is amiss and tried creating the resource group from the Azure Portal. It revealed the actual reason -
Once I added the relevant tags, errors vanished and the resource group was instantly created.
Moral: If commands don't work, wherever possible try the operation from Azure Portal.