Azure Active Directory – Solving “Access denied” issue

Gabriel Pineiro
2018-08-14T14:51:37-03:00By |
June 19, 2017

Symptoms:

  •  you are using a Live account to enter into your Azure subscription
  •  you need to do something that makes you need to use Azure Active Directory (for example, continuous deployment with VSTS)
  • when you try to access your Azure Active Directory, you get an “Access denied” error… what? access denied from my OWN subscription?

Diagnostic:

What happen is this: when you log in with a Live account for the first time, Azure added your user as of type “Guest” in the default Active Diretoctory.

And what you need to do, is to give these user a userType=member.

But guess what? You can not do that from the Azure Portal, you need to do it from Azure Powershell.

Solution:

So to fix this, open a powershell console, and type:

Login-AzureRmAccount

enter your credentials. Then, you need to find what is the “UserPrincipalName” of the user that you are trying to add access. For that, type:

Get-MsolUser

The result should be a list of users. Look for the needed user, should be something like:

whateveraccount.com#EXT#@whateverdirectory.onmicrosoft.com

After this, you are ready for the magic:

Set-MsolUser -UserPrincipalName whateveraccount.com#EXT#@whateverdirectory.onmicrosoft.com -UserType Member

And violà.

My subscription needed a while to replicate this change against the Azure servers, so you should be patient 🙂