Restoring Access After Removing Account from IAM

Question

Restoring Access After Removing Account from IAM

Gerdmate Team 0

An account was mistakenly removed from Access control (IAM), resulting in the server being unreachable. What steps can be taken to restore access to the server?

Anusree Nashetty 3,670 Reputation points Microsoft External Staff Moderator

2025-05-06T20:44:46.4033333+00:00

Hello Gerdmate Team,

Please check with the subscription owners within your tenant to request that the account which was mistakenly removed to be re-added to the appropriate IAM role on the affected resource.

Could you please let us know which type of server you are referring.
Vamsi Ram Annepu 740 Reputation points Microsoft External Staff Moderator

2025-05-08T05:20:26.7366667+00:00

Hi Gerdmate Team,
Just checking in to see if you need further assistance and could you please let us know which type of server you are referring.
Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Gerdmate Team 0 Reputation points

2025-05-08T11:34:15.0233333+00:00

Could you please specify which resource (e.g., VM, database, storage) and its name or ID you are referring to? This is what appear when I login to Microsoft Azure Sponsorship | Access control (IAM)

The client 'live.com#example.com' with object id 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/classicadministrators/read' over scope '/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx or the scope is invalid. If access was recently granted, please refresh your credentials.
Mac-Tay Terry 0 Reputation points

2025-05-12T13:48:37.2466667+00:00

All other users using the same subscription ID can't access the server. Below is a screenshot of what is on the Portal.

1 answer

Your answer

Anusree Nashetty 3,670 Reputation points Microsoft External Staff Moderator

2025-05-06T20:44:46.4033333+00:00

Hello Gerdmate Team,

Please check with the subscription owners within your tenant to request that the account which was mistakenly removed to be re-added to the appropriate IAM role on the affected resource.

Could you please let us know which type of server you are referring.
Vamsi Ram Annepu 740 Reputation points Microsoft External Staff Moderator

2025-05-08T05:20:26.7366667+00:00

Hi Gerdmate Team,
Just checking in to see if you need further assistance and could you please let us know which type of server you are referring.
Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Gerdmate Team 0 Reputation points

2025-05-08T11:34:15.0233333+00:00

Could you please specify which resource (e.g., VM, database, storage) and its name or ID you are referring to? This is what appear when I login to Microsoft Azure Sponsorship | Access control (IAM)

The client 'live.com#example.com' with object id 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Authorization/classicadministrators/read' over scope '/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx or the scope is invalid. If access was recently granted, please refresh your credentials.
Mac-Tay Terry 0 Reputation points

2025-05-12T13:48:37.2466667+00:00

All other users using the same subscription ID can't access the server. Below is a screenshot of what is on the Portal.

Answer 1

Hi Gerdmate Team,

The client '<client>' with object id '<objectId>' does not have authorization to perform action '<action>' over scope '<scope>' or the scope is invalid. means the user doesn't have permissions to the resource at the selected scope.

To Restore Access: If another Owner or User Access Administrator account exists for the subscription:

Log in with that account.
Go to: Azure Portal > Subscriptions > <Your Subscription> > Access control (IAM)
Add the removed user back with:
- Role: Owner or Contributor
- Scope: Subscription or specific resource group
If you're trying to access a VM:
- Ensure the user also has Virtual Machine Contributor or Reader on the VM's resource group.https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current

https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep#symptom---guest-user-gets-authorization-failed

Similar thread: https://learn.microsoft.com/en-us/answers/questions/1193583/azure-subscription-the-client-live-com-with-object

Hope it helps!

Let me know if you have any further queries!

Share via

Restoring Access After Removing Account from IAM

1 answer

Your answer