Azure network peering when not authorized to access linked subscription

I got stacked for several hours on the case with network peering across different subscriptions with different tenants. Related documentation. This scenario is usually when you do network peering with customer's Azure tenant or between Azure tenants with different owners. My case was easy since it was between Azures both managed by me, but still, there was a weird error. Luckily it got resolved by the way which you want to try too.

Azure Portal WebUI error message
Error: The client has permission to perform action 'Microsoft.Network/virtualNetworks/peer/action' on scope '<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>/virtualNetworkPeerings/<peeringName>', however the current tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'.

That sounds like you are missing some access rights. I tried despite I was subscription owner in IAM configuration to add a minimal needed role "Network Contributor".

az role assignment create --assignee name.surmame@company.com --role "Network Contributor" --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

and also the same right for the other side

az role assignment create --assignee name.surmame@company.com --role "Network Contributor" --scope /subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

It should be now working, but it wasn't. The portal's authorize button in peering configuration opened a window where is usually a login page, but it stayed forever on redirection. URL was https://rc.portal.azure.com/tokenauthorize#access_token=XXX. Using different web browser was not enough to resolve.

What next? Let's try to use Azure CLI via Cloud shell console.

az network vnet peering create --name vnetPeeringName --resource-group rgName --vnet-name vnetName --remote-vnet-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet> --allow-vnet-access

But an error out of this was the opposite subscription not found. So what next? WebUI is not working, the Azure command line is not working in this scenario? What's left? Yes, it's Powershell!

1) + 7)
Connect-AzAccount
Set-AzContext -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -TenantId zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

2)
New-AzRoleAssignment -SignInName name.surmame@company.com -RoleDefinitionName "Network Contributor" -Scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>

8)
$vNetA=Get-AzVirtualNetwork -Name vnetName -ResourceGroupName rgName
Add-AzVirtualNetworkPeering -Name vnetPeeringName -VirtualNetwork $vNetA -RemoteVirtualNetworkId "/subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg2>/providers/Microsoft.Network/virtualNetworks/<vnet2>"

3) + 9)
Disconnect-AzAccount

4) + 10)
Connect-AzAccount
Set-AzContext -SubscriptionId yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy -TenantId qqqqqqqq-qqqq-qqqq-qqqq-qqqqqqqqqqqq

5)
New-AzRoleAssignment -SignInName name.surmame@company.com -RoleDefinitionName "Network Contributor" -Scope /subscriptions/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/resourceGroups/<rg2>/providers/Microsoft.Network/virtualNetworks/<vnet2>

6)
Disconnect-AzAccount

11)
$vNetB=Get-AzVirtualNetwork -Name vnetName2 -ResourceGroupName rgName2
Add-AzVirtualNetworkPeering -Name vnetPeeringName2 -VirtualNetwork $vNetB -RemoteVirtualNetworkId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>"

12)
Disconnect-AzAccount

Network peering is enstablished after this procedure and thing which I don't understand is why it works only in PowerShell console and not in both other options. Well, at least it's working now.