No longer able to view content of CosmosDB ... and other issues.

Sam Johnson 6 Reputation points
2022-08-28T19:52:59.713+00:00

Another Azure admin mistakenly switched our subscription to a different directory. We switched it back and, days later, I'm unable to perform basic tasks. Emphasis on 'I' since others do not have this problem.

According to the Azure portal I am still a User Access Administrator but I appear to now have have read-only access.

Examples:

I can view all available Azure resource groups and navigate to each component within. My access is reduced.

  • In the case of CosmosDB, I can no longer utilize Data Explorer but I do get a friendly denial message:

    Hi Sam. You’re seeing this message because your user account is in Azure Reader or Azure Monitoring Reader roles and you attempted to access Cosmos DB collections.

  • I am no longer able to use my Azure plug in for Visual Studio code to list slots or make make changes to azure functions and other components. I get this error:

Error: The client 'myemailaddress' with object id 'd0c62c3f-3912-4679-9b12-e1a0da7bc155'
does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope
'/subscriptions/cdc978e..../resourceGroups/providers/Microsoft.Web/sites/UUID-API-AZFN/config/appsettings' or
the scope is invalid. if access was recently granted, please refresh your credentials.

I've tried too many things to quantify here in an attempt to encapsulate what I've done to resolve this issue.

This issue is not isolated to just my user id. It appears some application ids are impacted as well. I can't do much about those until my own access is returned to normal.

Any help?

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,434 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,630 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,325 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2022-08-29T06:51:36.22+00:00

    Hi @Sam Johnson • Thank you for sharing the feedback with us.

    Based on the feedback, I have raised a UVOC item in the feedback portal and will notify the product group as well. I am sharing the link to the feedback so that others facing this issue can find the information and upvote it. Kindly upvote the feedback.

    https://feedback.azure.com/d365community/idea/43d16ef9-6427-ed11-a81b-6045bd853198

    This limitation is documented under the Important note in Associate or add an Azure subscription to your Azure Active Directory tenant document:

    When you associate a subscription with a different directory, users that have roles assigned using Azure role-based access control lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Oury Ba-MSFT 16,076 Reputation points Microsoft Employee
    2022-09-23T20:09:08.39+00:00

    Hi @Sam Johnson Thank you for your question and for using Q&A platform.
    To respond the Cosmos db access issue. My understanding is that you are no longer able to access to Azure data explorer in Azure cosmos DB. The reason why is that Azure Cosmos DB is a control plane RBAC permission, not a data plane one. Here is the documentation page on data-plane access (read or write from a database account): Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account
    That doc walks you through the process that you can follow using Azure CLI or PowerShell to grant a principal (identity) access to read or write to resources in Azure Cosmos DB.

    Please let us know if you need more clarification

    Regards,
    Oury

    0 comments No comments