No longer able to view content of CosmosDB ... and other issues.

Question

Another Azure admin mistakenly switched our subscription to a different directory. We switched it back and, days later, I'm unable to perform basic tasks. Emphasis on 'I' since others do not have this problem.

According to the Azure portal I am still a User Access Administrator but I appear to now have have read-only access.

Examples:

I can view all available Azure resource groups and navigate to each component within. My access is reduced.

• In the case of CosmosDB, I can no longer utilize Data Explorer but I do get a friendly denial message:

  Hi Sam. You’re seeing this message because your user account is in Azure Reader or Azure Monitoring Reader roles and you attempted to access Cosmos DB collections.

• I am no longer able to use my Azure plug in for Visual Studio code to list slots or make make changes to azure functions and other components. I get this error:

Error: The client 'myemailaddress' with object id 'd0c62c3f-3912-4679-9b12-e1a0da7bc155'
does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope
'/subscriptions/cdc978e..../resourceGroups/providers/Microsoft.Web/sites/UUID-API-AZFN/config/appsettings' or
the scope is invalid. if access was recently granted, please refresh your credentials.

I've tried too many things to quantify here in an attempt to encapsulate what I've done to resolve this issue.

This issue is not isolated to just my user id. It appears some application ids are impacted as well. I can't do much about those until my own access is returned to normal.

Any help?

Answer 1

Hi @Sam Johnson • Thank you for sharing the feedback with us.

Based on the feedback, I have raised a UVOC item in the feedback portal and will notify the product group as well. I am sharing the link to the feedback so that others facing this issue can find the information and upvote it. Kindly upvote the feedback.

https://feedback.azure.com/d365community/idea/43d16ef9-6427-ed11-a81b-6045bd853198

This limitation is documented under the Important note in Associate or add an Azure subscription to your Azure Active Directory tenant document:

When you associate a subscription with a different directory, users that have roles assigned using Azure role-based access control lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @Sam Johnson Thank you for your question and for using Q&A platform.
To respond the Cosmos db access issue. My understanding is that you are no longer able to access to Azure data explorer in Azure cosmos DB. The reason why is that Azure Cosmos DB is a control plane RBAC permission, not a data plane one. Here is the documentation page on data-plane access (read or write from a database account): Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account
That doc walks you through the process that you can follow using Azure CLI or PowerShell to grant a principal (identity) access to read or write to resources in Azure Cosmos DB.

Please let us know if you need more clarification

Regards,
Oury