How to check/change for legacy roles?

Question

How to check/change for legacy roles?

A_User5555 0

We received an email indicating legacy roles are being discontinued, and that certain roles need to be converted to RBAC. We are not Azure users, but are technical, and don't understand the strange terminology being used. How do we check to see if any roles are the legacy types? And if there are any, how do we change them to RBAC. The email sent has no instructions and no link to real instructions. The only links are to a copy of the email, and links for contacting support.

2 answers

Your answer

Answer 1

Hello

Thanks for reaching out to Microsoft Q and A Forum ,

These instructions will help you identify the legacy roles and also help you in migrating:

Navigate to the Azure Portal → Azure Active Directory, then go to Roles and administrators and search for roles marked as "Legacy". Use Microsoft Entra ID → Privileged Identity Management (PIM) to review role assignments.
In Azure AD, navigate to Users → Directory role assignments and export role assignments via Microsoft Graph API or Azure PowerShell using:

Get-AzRoleAssignment | Where-Object { $_.RoleDefinitionName -like "*Legacy*" }

Compare legacy roles with Microsoft Entra built-in roles (https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles?toc=%2Fentra%2Fidentity%2Frole-based-access-control%2FTOC.yml&bc=%2Fentra%2Fidentity%2Frole-based-access-control%2Fbreadcrumb%2Ftoc.yml ) and assign equivalent RBAC roles in Azure AD or Azure Subscription IAM.
In Azure Portal, go to Access control (IAM) → Remove legacy role assignments. Use PowerShell to remove outdated roles:

Remove-AzRoleAssignment -ObjectId -RoleDefinitionName ""

I hope it was helpful, please don't forget to accept the answer if this was resolved your scenario.

Thanks

A_User5555 0 Reputation points

2025-03-20T16:16:56.6+00:00

There is no Azure Active directory after logging in to our portal.

Answer 2

Sakshi Devkante 2,905 Microsoft External Staff

Hello A_User5555

Adding more points to Pradeep, even if you do not see any "Classic Administrators" in your Azure subscriptions, you might have received the email due to hidden or legacy role assignments for users or apps that still exist within your Azure environment.

You can run the below command in Azure CLI to list all the Classic Administrators in your subscription. Please verify across all the subscriptions that you have access to.

az role assignment list --all --query "[?roleDefinitionName=='Co-Administrators']"

1.Legacy Classic Administrators Exist in the Background

-Even if you don't see Classic Administrators in Azure Portal, there might be hidden assignments that need conversion.

-Microsoft is retiring Classic Administrators (e.g., Co-Administrator, Service Administrator) and enforcing Azure Role-Based Access Control (RBAC).

2.Multiple Subscriptions Under Your Account

-If you manage multiple Azure subscriptions, one of them may still have Classic Administrators assigned.

-Check all subscriptions in Azure Portal under "Subscriptions" → "Access Control (IAM)".

3.Microsoft Enforcing Migration to RBAC

-Microsoft is automatically enforcing migration from Classic roles to Azure RBAC roles, and the email serves as a notification.

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators?tabs=azure-portal

If you run this command and get an empty array as a response, then you don't have any users or apps with classic administrators (co-admin or service admin) you will not have any impact.

Check this similar Q&A post where I have explained in detailed regarding "Transition to role-based access control (RBAC)": https://learn.microsoft.com/en-us/answers/questions/2236690/i-need-help-with-azure-rbac

I hope this clarifies things.

A_User5555 0 Reputation points

2025-03-20T16:17:26.1966667+00:00

There is no Azure CLI that I could find.
Sakshi Devkante 2,905 Reputation points Microsoft External Staff

2025-03-20T17:58:54.3033333+00:00

Hello A_User5555,

You must have an active subscription to the Azure tenant in order to use CLI. Okay, no worries. Then you can manually check using GUI.

To transition to RBAC, you will need to create custom roles that define the specific permissions needed for your users to perform their tasks. You can then assign these roles to your users or groups. If you don’t have the right access or if you're unsure about your role, reaching out to your Azure Subscription Owner or Administrator might be necessary to get the necessary permissions or assistance with the transition to RBAC.

To get started, you can follow the steps outlined in this document.

Classic RBAC was the older model before Azure RBAC was introduced. To check if your subscription is still using Classic RBAC, follow these steps: If you're using Classic RBAC, there might be a section indicating the use of Classic Access Control. You'll see a tab labeled "Classic" or references to it if Classic RBAC is enabled.

Similar Q&A article: Transition-to-role-based-access-control-(rbac)-in - Article 1 Transition-to-role-based-access-control-(rbac)-in - Article 2
Transition-to-role-based-access-control-(rbac)-in -Article 3
A_User5555 0 Reputation points

2025-03-20T21:09:29.1633333+00:00

We had the free account. Many thanks - we had only one role (Global Administrator), but just upgraded it to RBAC just to be on the safe side.
Sakshi Devkante 2,905 Reputation points Microsoft External Staff

2025-03-21T08:48:11.3466667+00:00

Hello A_User5555,

Great, yeah, upgrading to RBAC is definitely a smart move to be on the safe side! It’ll give you more control and flexibility with user roles and permissions.

Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the answers.

Share via

How to check/change for legacy roles?

2 answers

Your answer