Azure IAM cannot retrieve role assignments – Contributor role missing and RBAC returns server error

Question

I am attempting to assign the Contributor role to developers on my Azure subscription but the role does not appear in the role assignment wizard.

Environment:

Subscription status: Active

I am assigned the Owner role

Developers have been invited as Guest users through Microsoft Entra ID

Problem:

When navigating to Subscriptions → Access control (IAM) the portal shows the following error message:

Unable to list classic administrators because a server error occurred. Please try again later.

Additionally, when attempting to assign roles:

The Contributor role appears in the Roles tab

But it does not appear in the “Add role assignment” role picker

Only service-specific roles such as “App Service Contributor”, “API Contributor”, etc. appear

Things already attempted:

Browser refresh and hard reload

Private / incognito browser session

Logging out and back into the Azure portal

Adding developers as guest users in Microsoft Entra ID

Attempting role assignment from both the Subscription IAM page and the User Azure role assignments page

Expected behavior:

The built-in Contributor RBAC role should appear in the role assignment wizard so it can be assigned to developers.

Has anyone encountered a situation where the Contributor role exists but does not appear in the role assignment picker?

Additionally, when attempting to assign roles:

• The Contributor role appears in the Roles tab
• But it does not appear in the “Add role assignment” role picker
• Only service-specific roles such as “App Service Contributor”, “API Contributor”, etc. appear

Things already attempted:

Browser refresh and hard reload

Private / incognito browser session

Logging out and back into the Azure portal

Adding developers as guest users in Microsoft Entra ID

Attempting role assignment from both the Subscription IAM page and the User Azure role assignments page

Expected behavior:

The built-in Contributor RBAC role should appear in the role assignment wizard so it can be assigned to developers.

Has anyone encountered a situation where the Contributor role exists but does not appear in the role assignment picker?

Answer 1

Hey Jennifer – thanks for all the details. Seeing “Contributor” in the Roles tab but not in the picker (plus that classic-admin server error) usually boils down to one of a few things:

1. Shadowed by a custom role It’s possible someone created a custom role also named “Contributor” whose assignableScopes don’t include your subscription. The portal shows all roles on the Roles tab, but the Add-role dialog only lists roles assignable at that scope.
   • Run in Azure Cloud Shell or PowerShell: Get-AzRoleDefinition -Name "Contributor" Do you see more than one definition? Check each one’s AssignableScopes.
   • If there is a custom “Contributor” with limited scopes, either delete/rename it or scope it correctly.
   • You can force the built-in role assignment via CLI:

     
          az role assignment create \
     
            --assignee ******@yourdomain.com \
     
            --role "Contributor" \
     
            --scope "/subscriptions/<your-subscription-ID>"
     
     

     or by GUID:

     
          az role assignment create \
     
            --assignee ******@yourdomain.com \
     
            --role "b24988ac-6180-42a0-ab88-20f7382dd24c" \
     
            --scope "/subscriptions/<your-subscription-ID>"
     
     

2. Portal/UI glitch or deny-assignment is filtering it out
   • Try the same assignment in CLI or PowerShell. If it succeeds, the portal UX is mis-filtering.
   • Check for denyAssignments on your subscription or management group via Resource Explorer under: /subscriptions/<id>/providers/Microsoft.Authorization/denyAssignments
3. Conditional/PIM policies on Azure RBAC roles
   • If you have Azure AD (Microsoft Entra) conditional access or PIM policies that restrict which roles can be assigned (or which principals can receive them), the portal picker will only show the allowed roles.

Quick things to try right away:

• Run that Get-AzRoleDefinition check for duplicate “Contributor” roles and review AssignableScopes.

• Attempt the assignment via CLI or PowerShell to see if it bypasses the portal filter.

• Confirm whether you can see Owner or Reader in the “Add role assignment” picker (helps narrow if it’s a global filter).

A few follow-up questions to zero in on the root cause:

1. When you run Get-AzRoleDefinition -Name "Contributor", how many entries come back and what are their AssignableScopes?
2. Does the CLI/PowerShell approach to assign Contributor at the subscription scope succeed or give an error?
3. In the portal picker, can you see any of the built-in roles like Owner or Reader?
4. Do you have any deny assignments on that subscription or its parent management group?
5. Are there any conditional-access or PIM policies targeting Azure RBAC roles in your directory?
6. Are your developers fully redeemed as Guests in Microsoft Entra ID (i.e., they show up under Entra ID → Users)?

Answering those will help pinpoint exactly why the portal is hiding the Contributor role. Let me know!

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

Answer 2

Hello Jennifer Nobles,

This behavior is expected in the Azure portal and is not a service issue.

The built‑in Contributor role is classified under “Privileged administrator roles.” By default, the Add role assignment wizard does not show privileged roles unless the correct filter is selected.

What to do:

Go to Subscription → Access control (IAM)

Select Add → Add role assignment

In the Role tab, change the Role category filter from All roles to Privileged administrator roles

You will then see Contributor listed and can assign it to the users

The role appearing under the Roles tab but not in the default picker view confirms this is a filtering behavior, not a permission or RBAC corruption issue. The “Unable to list classic administrators” message is unrelated and does not affect RBAC role assignments.

Once the correct role category is selected, you should be able to assign the Contributor role successfully.

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Answer 3

The built‑in Contributor role is categorized under “Privileged administrator roles”, so it won’t appear in the default role picker view; switch the role filter to Privileged administrator roles to see and assign it