![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 75%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
Losing access to most resources in a subscription while still seeing the account listed as Account Administrator indicates a permissions or directory/role issue that typically requires admin or Microsoft support intervention.
Use the following checks and escalation path:
- Verify directory and sign-in
- In the Azure portal, select the account icon (top-right) and use Switch directory to ensure the correct Microsoft Entra directory (tenant) is selected.
- If multiple accounts are used in the browser, clear cookies/cache or use a private/incognito window and sign in again to avoid being automatically signed in as a different user.
- Check role assignments and RBAC errors
- Try to open any resource group or subscription-level blade.
- If an error like
The client with object id does not have authorization to perform action ... (code: AuthorizationFailed)appears, it means the current user no longer has a role with write permissions at that scope. - If another user in the tenant exists with sufficient rights (Owner, User Access Administrator, or classic Service Administrator/Co-Administrator), that user must reassign an appropriate role (for example, Owner) to the account at the subscription scope.
- Use classic administrator roles if available
- In Subscriptions → select the subscription → Properties, confirm who is listed as Service Administrator and Co-Administrator.
- The Service Administrator or any Co-Administrator has equivalent access to an Owner at subscription scope and can:
- Reassign roles via Access control (IAM)
- Add the affected account as Owner at the subscription scope.
- If no one can fix it from within the tenant
- If the only admin account (self) has effectively lost usable permissions and there is no other admin or owner who can restore access, the issue must be escalated to Microsoft support.
- Because the account currently cannot create a support request from the portal, use the public support entry points (for example, the Azure subscription/billing support channel) from outside the portal to open a ticket.
- Clearly state that:
- The subscription still lists the account as Account Administrator.
- RBAC permissions/Owner role appear to be removed or broken.
- The account cannot create a support request from within the portal.
- Support may involve a data protection or back-end team to restore or reassign subscription ownership.
If the tenant has a Global Administrator in Microsoft Entra ID (which might be the same account), that Global Administrator can also use the documented “elevate access” path to gain Owner on all subscriptions and then reassign roles as needed.
References: