Need Access to a Group with No active user

Question

I have a Orphan Group (PPCOE_ADMIN) where no active admin user or member, How to get admin access as this group is associated in many PBI Workspaces. Earlier Admin use id got de-activated since he is passed away.

Answer 1

Hello

for Azure Key Vault, you don’t actually need an “active admin user” inside that Entra ID group to recover access. The recovery path depends on which permission model the vault is using, and what Azure role you have on the vault/subscription.

In the Azure portal: Key Vault → Access configuration you’ll see one of these:

• Azure role-based access control (Azure RBAC) (recommended/default)
• Vault access policy (legacy)

Fastest recovery is to assign yourself access directly to change Key Vault role assignments under RBAC, you generally need Owner or User Access Administrator at the vault/resource group/subscription scope.

1. Azure portal → Key Vault → Access control (IAM)
2. Add → Add role assignment (standard RBAC flow)
3. Add one of these roles to your user (or a new break-glass admin group):

• Key Vault Administrator (full data-plane access to secrets/keys/certs; doesn’t manage the vault resource or role assignments)
• If you only need secrets: Key Vault Secrets Officer / Secrets User

Once you’ve got access, you can replace the orphan group assignment with a new, well-owned group.

If the vault uses Vault access policies (legacy)

To regain access, you need management-plane rights that allow you to edit access policies.

1. Azure portal → Key Vault → Access policies → Create
2. Select your user as the principal
3. Choose the needed permissions (Secrets/Keys/Certificates) → Save

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal