Azure Global Administrator - "Insufficient privileges to complete the operation"

Question

Azure Global Administrator - "Insufficient privileges to complete the operation"

Gary Lister 0

I am a global administrator for my companies Azure account. I understood this to mean I have full permission to access resource, manage users etc.

When trying to make some IAM changes however I'm unable to see a list of users to assign roles to, not even my own account. (F12 tools show the request is 403). Going to the Entra ID module in Azure portal and it turns out I can't see or do anything in there, i receive "Insufficient privileges to complete the operation." or "Unable to complete due to service connection error. Please try again later." errors.

It seems my account is bugged or is there something with Azure roles that I'm missing?

We don't have a support package so can't access Azure support

MichaelMaxey-2536 112 Reputation points

2024-12-02T22:36:45.32+00:00
Your issue, as a Global Administrator, encountering permission issues like being unable to assign roles or manage users in Azure, points to a potential misunderstanding of Azure permissions and roles, or a configuration issue in your Azure tenant. Let’s systematically analyze and address this issue.

Understanding Global Administrator Role in Azure

The Global Administrator role (managed through Microsoft Entra ID, formerly Azure AD) is the highest privilege role in the directory and allows:

Managing users, groups, and permissions within the Microsoft Entra ID module.

Configuring directory settings like Conditional Access, MFA, and organizational policies.

Assigning other administrators (e.g., Billing Administrator, Application Administrator).

Limitations of Global Administrator:
- While it is the most powerful directory role, it **does not inherently grant permissions over Azure resources** like subscriptions, resource groups, or individual resources. These permissions are controlled separately via **Azure Role-Based Access Control (RBAC)**.

Possible Causes of Your Issue

Directory Role Issue (Global Administrator Status)

Your Global Administrator privileges may not have been applied correctly to your account, or you’re operating in a tenant where you are not a Global Administrator.

Azure RBAC Issue

- Azure RBAC roles (e.g., **Owner**, **Contributor**) for the subscription may not have been granted to your account. This would restrict access to the **IAM blade** and role assignments for resources. **Multi-Tenant Scenario** - If your organization operates multiple Azure tenants, you might be signed in to a tenant where you don’t have sufficient privileges. **Conditional Access Policies** - There may be **Conditional Access policies** restricting access to specific Azure services or the Entra ID portal, causing the 403 error. **Technical Configuration Issue** - Service connection errors may result from: - Browser cache or session issues. - Network/firewall restrictions blocking portal requests. - A legitimate Azure service outage.

Steps to Troubleshoot and Resolve

Step 1: Verify Your Global Administrator Role

Go to the Microsoft Entra Admin Center (https://entra.microsoft.com):

Navigate to Roles and Administrators > Search for Global Administrator.

Check if your account is listed as a Global Administrator.

If your account is not listed:
- A valid Global Administrator in your directory must assign you this role. - If your account is listed: - The role is applied to the directory, but it does not affect Azure resource permissions. Proceed to the next steps.

Step 2: Check Azure RBAC Role Assignments

Your inability to see the IAM blade or assign roles suggests you may lack Owner or User Access Administrator permissions on the subscription. To verify:

Go to the Azure Portal (https://portal.azure.com).

Navigate to Subscriptions and select the affected subscription.

Under Access Control (IAM) > Role Assignments, check if your account has one of the following roles:

Owner: Full access to manage all resources, including assigning permissions.

User Access Administrator: Can assign roles to others but cannot modify resources.

If you cannot see these roles, ask another Owner of the subscription to grant you these permissions. Important: If you cannot identify another Owner and are blocked, this is likely a sign of an account mismatch (e.g., you're using a different tenant or subscription).

Step 3: Resolve Multi-Tenant or Account Issues

Confirm you’re working in the correct Azure directory/tenant:

In the Azure Portal, click your profile in the top-right corner.

Under Switch Directory, confirm you are in the correct tenant.

Ensure your account is associated with the intended directory.

Key Notes:

Global Administrator is tied to a specific directory. If you switch to another directory where you’re not a Global Administrator, your permissions will be limited.

To manage roles across tenants, you must explicitly assign yourself or others access via Azure RBAC.

Step 4: Check for Conditional Access Policies

Conditional Access policies might be preventing access to specific services or resources:

Ask another Global Administrator (if available) to check for Conditional Access policies:

Go to Microsoft Entra Admin Center > Conditional Access.

Look for policies that restrict access to the Entra ID portal or Azure Management.

If no other Global Administrator is available:
- Confirm your device/network complies with organizational policies, such as: - IP whitelisting. - Compliant device status (e.g., enrolled in Intune).

Step 5: Resolve Service Connection or Browser Issues

Clear Browser Cache and Cookies:

Use an incognito/private browsing window to access the Azure Portal.

Clear all cache and cookies to eliminate session-related errors.

Check for Network Issues:

Ensure no firewall or VPN is blocking access to Azure services.

Test access from a different network or device.

Check Azure Service Health:

Go to the Azure Status Page (https://status.azure.com) to confirm there are no outages affecting your region or services.

Step 6: Alternative Workarounds Without Support Package

Since you don’t have an Azure support package, you can still try the following:

Enable Self-Service Role Elevation:

If you have PIM (Privileged Identity Management) enabled:
- Elevate your account to higher directory roles temporarily. - This can be configured under **Azure AD Privileged Identity Management** > **Roles**. **Access Azure Community Support**: - Use the **Microsoft Q&A Platform** ([https://learn.microsoft.com/answers](https://learn.microsoft.com/answers)) or Azure Forums to describe your issue and get assistance from the community. **Contact Support for Free Subscription Management Issues**: - Azure provides free support for subscription and billing-related issues. Open a request for help with role configuration under the **Subscription Management** category in the Azure Portal.

Conclusion

This issue is likely due to a mismatch between your Global Administrator directory permissions and your Azure subscription permissions (RBAC roles). Follow the steps above to verify your role assignments, check subscription access, and resolve potential multi-tenant or service configuration issues. If you’re still blocked, escalate the issue through Azure’s community or subscription management channels.

Let me know if you’d like detailed guidance for any specific step!Your issue, as a Global Administrator, encountering permission issues like being unable to assign roles or manage users in Azure, points to a potential misunderstanding of Azure permissions and roles, or a configuration issue in your Azure tenant. Let’s systematically analyze and address this issue.

Understanding Global Administrator Role in Azure

The Global Administrator role (managed through Microsoft Entra ID, formerly Azure AD) is the highest privilege role in the directory and allows:

Managing users, groups, and permissions within the Microsoft Entra ID module.

Configuring directory settings like Conditional Access, MFA, and organizational policies.

Assigning other administrators (e.g., Billing Administrator, Application Administrator).

Limitations of Global Administrator:
- While it is the most powerful directory role, it **does not inherently grant permissions over Azure resources** like subscriptions, resource groups, or individual resources. These permissions are controlled separately via **Azure Role-Based Access Control (RBAC)**.

Possible Causes of Your Issue

Directory Role Issue (Global Administrator Status)

Your Global Administrator privileges may not have been applied correctly to your account, or you’re operating in a tenant where you are not a Global Administrator.

Azure RBAC Issue

- Azure RBAC roles (e.g., **Owner**, **Contributor**) for the subscription may not have been granted to your account. This would restrict access to the **IAM blade** and role assignments for resources. **Multi-Tenant Scenario** - If your organization operates multiple Azure tenants, you might be signed in to a tenant where you don’t have sufficient privileges. **Conditional Access Policies** - There may be **Conditional Access policies** restricting access to specific Azure services or the Entra ID portal, causing the 403 error. **Technical Configuration Issue** - Service connection errors may result from: - Browser cache or session issues. - Network/firewall restrictions blocking portal requests. - A legitimate Azure service outage.

Steps to Troubleshoot and Resolve

Step 1: Verify Your Global Administrator Role

Go to the Microsoft Entra Admin Center (https://entra.microsoft.com):

Navigate to Roles and Administrators > Search for Global Administrator.

Check if your account is listed as a Global Administrator.

If your account is not listed:
- A valid Global Administrator in your directory must assign you this role. - If your account is listed: - The role is applied to the directory, but it does not affect Azure resource permissions. Proceed to the next steps.

Step 2: Check Azure RBAC Role Assignments

Your inability to see the IAM blade or assign roles suggests you may lack Owner or User Access Administrator permissions on the subscription. To verify:

Go to the Azure Portal (https://portal.azure.com).

Navigate to Subscriptions and select the affected subscription.

Under Access Control (IAM) > Role Assignments, check if your account has one of the following roles:

Owner: Full access to manage all resources, including assigning permissions.

User Access Administrator: Can assign roles to others but cannot modify resources.

If you cannot see these roles, ask another Owner of the subscription to grant you these permissions. Important: If you cannot identify another Owner and are blocked, this is likely a sign of an account mismatch (e.g., you're using a different tenant or subscription).

Step 3: Resolve Multi-Tenant or Account Issues

Confirm you’re working in the correct Azure directory/tenant:

In the Azure Portal, click your profile in the top-right corner.

Under Switch Directory, confirm you are in the correct tenant.

Ensure your account is associated with the intended directory.

Key Notes:

Global Administrator is tied to a specific directory. If you switch to another directory where you’re not a Global Administrator, your permissions will be limited.

To manage roles across tenants, you must explicitly assign yourself or others access via Azure RBAC.

Step 4: Check for Conditional Access Policies

Conditional Access policies might be preventing access to specific services or resources:

Ask another Global Administrator (if available) to check for Conditional Access policies:

Go to Microsoft Entra Admin Center > Conditional Access.

Look for policies that restrict access to the Entra ID portal or Azure Management.

If no other Global Administrator is available:
- Confirm your device/network complies with organizational policies, such as: - IP whitelisting. - Compliant device status (e.g., enrolled in Intune).

Step 5: Resolve Service Connection or Browser Issues

Clear Browser Cache and Cookies:

Use an incognito/private browsing window to access the Azure Portal.

Clear all cache and cookies to eliminate session-related errors.

Check for Network Issues:

Ensure no firewall or VPN is blocking access to Azure services.

Test access from a different network or device.

Check Azure Service Health:

Go to the Azure Status Page (https://status.azure.com) to confirm there are no outages affecting your region or services.

Step 6: Alternative Workarounds Without Support Package

Since you don’t have an Azure support package, you can still try the following:

Enable Self-Service Role Elevation:

If you have PIM (Privileged Identity Management) enabled:
- Elevate your account to higher directory roles temporarily. - This can be configured under **Azure AD Privileged Identity Management** > **Roles**. **Access Azure Community Support**: - Use the **Microsoft Q&A Platform** ([https://learn.microsoft.com/answers](https://learn.microsoft.com/answers)) or Azure Forums to describe your issue and get assistance from the community. **Contact Support for Free Subscription Management Issues**: - Azure provides free support for subscription and billing-related issues. Open a request for help with role configuration under the **Subscription Management** category in the Azure Portal.

TL;DR

This issue is likely due to a mismatch between your Global Administrator directory permissions and your Azure subscription permissions (RBAC roles). Follow the steps above to verify your role assignments, check subscription access, and resolve potential multi-tenant or service configuration issues. If you’re still blocked, escalate the issue through Azure’s community or subscription management channels.

Let me know if you’d like detailed guidance for any specific step!
Gary Lister 0 Reputation points

2024-12-02T23:17:38.7633333+00:00

Thanks for your comprehensive response,

Step 1 I'm unable to do as I receive "Insufficient privileges to complete the operation." error, another global administrator has confirmed I'm listed as a global administrator, removing and re-adding the role has not fixed the issue.

Step 2 Checking the permissions on the subscription shows we're actually still using the old classic administrator roles rather than the new RBAC. I just tried to set myself as owner but received an error "The principal ID '...' is not valid. Principal ID must be a GUID."

Step 3 We do have 2 tenants, I've confirmed I'm on the correct one and have permissions assigned to me on the correct one.

Step 4 I'm waiting to hear back from a colleague

Step 5 I tried with an incog browser instance to no avail.
Gary Lister 0 Reputation points

2024-12-02T23:49:30.8933333+00:00

Duplicate

1 answer

Your answer

Gary Lister 0 Reputation points

2024-12-02T23:17:38.7633333+00:00

Thanks for your comprehensive response,

Step 1 I'm unable to do as I receive "Insufficient privileges to complete the operation." error, another global administrator has confirmed I'm listed as a global administrator, removing and re-adding the role has not fixed the issue.

Step 2 Checking the permissions on the subscription shows we're actually still using the old classic administrator roles rather than the new RBAC. I just tried to set myself as owner but received an error "The principal ID '...' is not valid. Principal ID must be a GUID."

Step 3 We do have 2 tenants, I've confirmed I'm on the correct one and have permissions assigned to me on the correct one.

Step 4 I'm waiting to hear back from a colleague

Step 5 I tried with an incog browser instance to no avail.
Gary Lister 0 Reputation points

2024-12-02T23:49:30.8933333+00:00

Duplicate

Answer 1

@Gary Lister

Thank you for posting this in Microsoft Q&A.

As I understand you have Global admin role assigned for your account for your tenant and you are unable to access anything in Azure.

When you try to access IAM you are getting permission error.

If you have a Global admin role assigned, this means you are complete admin in Entra ID within Azure. Entra ID is a directory within Azure. With Global admin permissions you can perform anything within the directory like, created users, deleting users, password resets, registering applications etc.

With Global admin role assigned you cannot perform anything within Azure other than within Entra ID.

If you want to perform anything with respect to subscription or resources in Azure then you need to have an IAM role assigned. Example roles, Owner, contributor, User access administrator etc.

You can go through below article to get more information on in-built role in Azure IAM,

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

There are multiple roles within Azure with permission defined that will allow you to perform different actions on multiple other resources.

As explained earlier, Azure roles are completely different from Entra ID roles. Global admin is a role which is part of Entra ID.

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator

2025-01-02T06:20:17.7166667+00:00

@Gary Lister

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Share via

Azure Global Administrator - "Insufficient privileges to complete the operation"

1 answer

Your answer