Azure Global Administrator - "Insufficient privileges to complete the operation"

Gary Lister 0 Reputation points
2024-12-02T22:33:25.49+00:00

I am a global administrator for my companies Azure account. I understood this to mean I have full permission to access resource, manage users etc.

When trying to make some IAM changes however I'm unable to see a list of users to assign roles to, not even my own account. (F12 tools show the request is 403). Going to the Entra ID module in Azure portal and it turns out I can't see or do anything in there, i receive "Insufficient privileges to complete the operation." or "Unable to complete due to service connection error. Please try again later." errors.

It seems my account is bugged or is there something with Azure roles that I'm missing?

We don't have a support package so can't access Azure support

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator
    2024-12-04T12:49:26.3066667+00:00

    @Gary Lister

    Thank you for posting this in Microsoft Q&A.

    As I understand you have Global admin role assigned for your account for your tenant and you are unable to access anything in Azure.

    When you try to access IAM you are getting permission error.

    If you have a Global admin role assigned, this means you are complete admin in Entra ID within Azure. Entra ID is a directory within Azure. With Global admin permissions you can perform anything within the directory like, created users, deleting users, password resets, registering applications etc.

    With Global admin role assigned you cannot perform anything within Azure other than within Entra ID.

    If you want to perform anything with respect to subscription or resources in Azure then you need to have an IAM role assigned. Example roles, Owner, contributor, User access administrator etc.

    You can go through below article to get more information on in-built role in Azure IAM,

    https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

    There are multiple roles within Azure with permission defined that will allow you to perform different actions on multiple other resources.

    As explained earlier, Azure roles are completely different from Entra ID roles. Global admin is a role which is part of Entra ID.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.