Locked Out of Azure Subscription - Subscription Owner Access Issue

Question

I am the owner of an Azure Pay-As-You-Go subscription and am currently locked out due to authentication issues. I cannot access the Azure Portal or Azure CLI, which prevents me from managing my resources or creating support tickets through the portal.

Subscription details

• Subscription ID: PII removed
• Tenant ID: PII removed
• Subscription type: Pay-As-You-Go (single owner)

Issue description I attempted to add my personal email account as a guest user in my Azure AD tenant to access Databricks account-level features. During this process, I accidentally created a duplicate user account using Azure CLI (az ad user create with a guest-style UPN), which appears to have disrupted the authentication state of my existing guest user account. The duplicate user has since been deleted, but authentication issues persist.

Current symptoms (summary)

• Azure Portal (portal.azure.com)
  • “Token validation failed. A passthrough token was detected without proper resource provider context.”
  • “An error occurred when trying to fetch resources.”
  • UI shows “Welcome to Azure!” and does not list any resources (e.g. Databricks workspace, resource groups), even though the subscription and resources still exist.
  • Same identity/tenant confusion when trying to open the support panel or other portal blades.
• Restricted tenant / limited access
  • When following links to tenant or subscription details (e.g. from a recent invoice or billing email), a “Limited or No Access” modal appears.
  • Message: “You are not a member of this tenant and do not have access to this directory or any subscriptions/resources within. Your interactions will be limited to directory switching or passthrough scenarios only.”
  • I can only choose “I acknowledge” (continue as passthrough user with no directory access) or “Sign out.”
  • I cannot view tenant or subscription details even via direct links; my account is treated as a non-member passthrough user.
• Azure CLI
  • az login fails (including with --tenant PII removed).
  • Error: AADSTS50020 – “User account '<redacted>' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'xxxxxxxxx' (Microsoft Azure CLI). The account needs to be added as an external user in the tenant first.”
  • No valid session; I cannot run az account list or any other Azure CLI commands.
• Databricks account portal (accounts.azuredatabricks.net)
  • AADSTS16000 (and similar): User from identity provider ‘live.com’ does not exist in tenant “Microsoft Services” and cannot access the application. Account would need to be added as an external user first.
• Common theme
  • Authentication appears to be sent or resolved against the wrong tenant (“Microsoft Services” or “Default Directory”) instead of my customer tenant (PII removed) where the subscription and guest user exist.

What I need I need help restoring access to my subscription as the subscription owner (e.g. by fixing or resetting my guest user’s authentication state in the tenant, or by excluding my account from whatever is blocking sign-in). My Azure resources (including a Databricks workspace, storage accounts, and other infrastructure) are intact; the issue is authentication/authorization only.

Thank you.