Developer accounts are incredibly unstable - need help to setup properly

Question

Developer accounts are incredibly unstable - need help to setup properly

Donpaul Stephens 0

We are new to Azure, attempting to port a cluster software solution to run as a managed service on demand...

our developer accounts keep failing, with no clear reason why. I can delete their accounts, create new ones, add "contributor" rights to their (new) accounts... and it works for ~ about a week.

3 weeks in, having reset most of my development team to have new accounts almost weekly (yes, same email for invite)... this makes no sense.

something is clearly very badly broken ... on what is a fairly new account.

we can delete almost everything in the account (the critical stuff is elsewhere).

where can i get a very basic "how to setup" account... so it stays operational?

this is beyond absurd.

JimmySalian-2011 42,371 Reputation points

2025-04-03T21:59:35.87+00:00

Hi,

Do you use Developer subscription for developing and testing? As per terms - Developer subscription is valid for up to 90 days, depending on your activity, and is renewable based on qualified developer activity. If you're using your subscription for development, it will be renewed regularly.

Also if you are using Microsoft 365 E5 developer subscription it includes 25 user licenses, including the administrator, for development purposes only.

So please check and confirm which type of subscription and program you have?

Please don't forget to upvote and Accept as answer if the reply is helpful

If this answer helped you please mark it as "Verified" so other users can reference it.
Donpaul Stephens 0 Reputation points

2025-04-03T23:24:18.0066667+00:00
We have a company which is in the Microsoft for Startups program, so the subscription is technically a "Microsoft Azure Sponsorship" ... though all work is being doing in an adjacent subscription under the account - as advised by the Microsoft people who supported our initial onboarding

we have 10 people, including me, who have access to the Azure Portal.

no, we are not using developer subscriptions.

within the subscription, we have technically 2 resource groups setup - using 1 at the moment.

I added users via "Microsoft Entra ID" then "users" on the left

I was told it did not matter if from "+ New User" I created via either "Create new user" or "Invite external user"... the role assignments were the same (this is my experience).

I invite "external user"

enter their email on the next page, invite..

then I add them as Contributor in the resource group.

this process takes a few minutes, and they can access resources... etc...

literally everyone (in the span of just a few weeks... and most roughly weekly) get in a state where they get errors like:

You do not have authorization to access this resource.

[their account] does not have authorization to perform action [something] over scope '/subscriptions/[xxxxxx]' or the scope is invalid. If access was recently granted, please refresh your credentials.

for things which they themselves had setup or were otherwise accessing the prior day.

we were advised to have people sign out via:
https://aka.ms/vssignout

and log back in

sometimes this hits my engineers on login, other times on services they themselves are developing

deleting their account and creating a new one (same name, added to be a contributor as above)... gets them back... but it is clearly to the Azure portal a "new" account (in "deleted users" I can see the ghost accounts I removed).

Is there some particular configuration / setting which is "second nature" for an admin onboarding new team members which I am completely missing? Login things they must use? other?

the "it works fine for 1 week+"... then everyone gets locked out from logging in or using a resource while logged in... getting the same error message implies their accounts are misconfigured, or they (all) get their own accounts into a bad state ... but the configuration for all is:

-> invited user

-> add as contributor to the Resource Group

while I'm the admin, all of the resources which our developers get locked out of are things they themselves - or their colleagues with identical rights - created.

it is almost comical how far along the port of our large codebase is ... when the logins for our team are so unstable
Navya 17,730 Reputation points Microsoft External Staff

2025-04-09T17:42:37.16+00:00

Hi @Donpaul Stephens

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Navya 17,730 Reputation points Microsoft External Staff

2025-04-10T20:25:49.7933333+00:00

Hi @Donpaul Stephens

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

JimmySalian-2011 42,371 Reputation points

2025-04-03T21:59:35.87+00:00

Hi,

Do you use Developer subscription for developing and testing? As per terms - Developer subscription is valid for up to 90 days, depending on your activity, and is renewable based on qualified developer activity. If you're using your subscription for development, it will be renewed regularly.

Also if you are using Microsoft 365 E5 developer subscription it includes 25 user licenses, including the administrator, for development purposes only.

So please check and confirm which type of subscription and program you have?

Please don't forget to upvote and Accept as answer if the reply is helpful

If this answer helped you please mark it as "Verified" so other users can reference it.
Navya 17,730 Reputation points Microsoft External Staff

2025-04-09T17:42:37.16+00:00

Hi @Donpaul Stephens

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Navya 17,730 Reputation points Microsoft External Staff

2025-04-10T20:25:49.7933333+00:00

Hi @Donpaul Stephens

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Hi @Donpaul Stephens I understand you're using Azure Sponsorship under Microsoft for Startups and onboarding team members as external guest users. You assign them Contributor rights. Everything works for a few days but then access randomly breaks. Re-inviting them temporarily resolves the issue, but their old accounts remain same entries. This cycle repeats weekly and affects all of your developers.

Users in a directory with the Member user type have different default permissions compared to B2B guest users invited from another directory. For example, Member users can read almost all directory information, whereas Guest users have restricted directory access. For more information, please refer to: What are the default user permissions in Microsoft Entra ID.

When you delete a user, they are moved into a soft-deleted state and remain available for 30 days. Please try permanently deleting the users and then re-add them in Entra ID before assigning the Contributor (RBAC) role again. You can learn how to permanently delete users here: Delete a user from Microsoft Entra ID.

Regarding the following issue:

"You do not have authorization to access this resource." "[user] does not have authorization to perform action [something] over scope '/subscriptions/[xxxxxx]' or the scope is invalid. If access was recently granted, please refresh your credentials."

Which specific resource were the users trying to access in Azure or Microsoft Entra ID when this error appeared? Where exactly users are you encountering the issue? If possible, could you please share a screenshot or error message details to help us better understand and investigate the problem?

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Donpaul Stephens 0 Reputation points

2025-04-10T21:46:18.4733333+00:00

Ernest - locked out.pngthis is the kind of error

I permanently deleted the formerly deleted users

we have other... seemingly super basic questions with Entra which we can't resolve, including:

only "external" users who were invited appear part of the tenant

users created in the organization (me, the owner, and 1 other engineer aren't apparently)... and i can't figure out how to add us

because I (the owner) am not part of the tenant (which i manage), I can't link the subscription directly with DevOps (while i can see it as the only option in the pull down... and in theory DevOps should be billed to the subscription.

I have spent a LOT of time basically fumbling around in the dark getting extremely frustrated on Entra... we get enough done to get my team productive ... but this is a HORRIBLE experience. Clearly, I have something basic misconfigured. I can create all new accounts from scratch.

Please advise how we can get a basic walk through to get this setup (Azure Portal + DevOps) working properly... Entra is apparently required for this.

this should be very basic.

if you can't, please refer me to someone, or a company which does this and can help - PLEASE
Navya 17,730 Reputation points Microsoft External Staff

2025-04-15T20:40:23.7933333+00:00

Hi @Donpaul Stephens

Can we work on this thread offline. Please share your email address, time zone and availability timings over the private messages to make a teams call. We can connect offline and discuss further on this.

Share via

Developer accounts are incredibly unstable - need help to setup properly

1 answer

Your answer