I cannot access a resource group

Question

I cannot access a resource group

Charles Kendrick 0

What would cause me to lose access to a resource group? I can see the app and resource name in my bill, but when I click on them I get a message that I don't have access. There are 6 static web apps in the group.

Rukmini 41,125 Reputation points Microsoft External Staff Moderator

2026-05-27T13:43:55.71+00:00
Hey Charles, it sounds like your Azure RBAC assignment on that resource group got changed or removed. Even though you see the static web apps in your bill, without a role (Owner/Contributor/Reader) on the Resource Group you won’t be able to click through to it in the portal. Here are the most common causes and what you can check:

Role assignment was removed or altered

Someone might have removed the Contributor/Reader role from you (or the AAD group you’re in) on that resource group or subscription.

Go to the resource group in the portal > Access control (IAM) > Role assignments. Search for your user or any security groups you belong to.

Group membership or licensing issue

If you’re getting access via an AAD group, make sure that group is still assigned the RBAC role and that you’re still a member.

Verify in Microsoft Entra ID (AAD) > Groups that the group still contains your user and is set up to be role-assignable if you’re using it for privileged roles.

Privileged Identity Management (PIM) expiration

If the Contributor/Owner assignment was “eligible” rather than permanent, you may need to “Activate” it again in PIM.

Check Azure AD > Privileged Identity Management > My roles to see if your assignment is still active.

Management group or policy override

A management group or Azure policy could have been applied that denies access to that specific resource group.

Check your effective permissions via Azure CLI: az role assignment list --assignee <your-object-id> --scope /subscriptions/<subscription-id>/resourceGroups/<rg-name>

Subscription or billing state

Rarely, if a subscription is disabled or past due, you’ll see billing info but can’t actually open resources.

Verify the subscription state under Subscriptions in the portal.

Quick troubleshooting steps:

Go to the RG in the portal > Access control (IAM) > View “Effective access” for your user.

Use the Azure CLI or PowerShell to list your role assignments.

In Azure AD, confirm your group memberships and any PIM assignments.

Hope this helps you pinpoint where the access was dropped! Let me know if you need more guidance.

Reference docs:

Assign a role to a cloud group in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/roles/groups-assign-role

Troubleshooting roles assigned to cloud groups: https://docs.microsoft.com/azure/active-directory/users-groups-roles/roles-groups-faq-troubleshooting

Privileged Identity Management troubleshooting: https://docs.microsoft.com/entra/id-governance/privileged-identity-management/pim-troubleshoot

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Rukmini 41,125 Reputation points Microsoft External Staff Moderator

2026-05-28T11:34:44.1333333+00:00

Hello @Charles Kendrick

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

1 answer

Your answer

Rukmini 41,125 Reputation points Microsoft External Staff Moderator

2026-05-28T11:34:44.1333333+00:00

Hello @Charles Kendrick

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Answer 1

AI answer

Loss of access to a resource group that still appears on the bill is typically caused by a change in permissions or role assignments, not by deletion of the resources.

Common causes in this scenario:

Role assignment removed or changed
- The account might have been removed from a role assignment (for example, Contributor or Reader) on the subscription, resource group, or specific resources.
- If only Reader access remains, many management features are disabled. For web apps and similar resources, Reader access prevents actions like viewing deployments, logs, or configuration, and some blades in the portal appear disabled.
- Solution: An administrator must assign a role with write permissions (such as Contributor) on the resource group or subscription.
Insufficient scope of access
- Access might exist only at the app (resource) level but not at the resource group or App Service plan level. Some features (pricing tier, scaling, quotas, TLS/SSL, alerts, Application Insights, etc.) require write access at the App Service plan or resource group scope.
- Solution: Ensure a built-in role with write permissions is assigned at the App Service plan or resource group level, not just on individual resources.
Different account signed in
- If multiple Microsoft accounts are used (work and personal), the browser may be signed in with an account that does not have access, even though billing still shows the resources.
- Solution: Sign out of all Microsoft accounts in the browser, clear site data if needed, and sign back in with the account that owns or has been granted access to the subscription/resource group.
Access controlled via groups or entitlement management
- Access may be granted through Microsoft Entra groups or access packages. If group membership or access package assignments changed, effective access to the resource group can be lost.
- Solution: Have an Entra administrator verify group membership, dynamic group rules, and any entitlement management policies that grant access to the subscription or resource group.

If access is needed again, an administrator with sufficient privileges on the subscription or resource group must reassign an appropriate Azure built-in role (for example, Contributor) at the correct scope.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Share via

I cannot access a resource group

1 answer

Your answer