How to remove a 'dangling' Access Control (IAM) assignment for User Access Administrator?

Question

A User profile was set as User Access Administrator, the mistake was recognized, and the User profile was deleted... However, after the deletion, there is a 'dangling' Access Control (IAM) entry indicating ("Identity not found") which makes sense as the profile no longer exists. The online documentation, (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal#remove-a-role-assignment-at-the-root-scope-), indicates to login as the User which executed the elevated permissions command. We attempted to re-add the User Profile to revoke the User Access Administrator assignment which did not work, because the original Object ID for the User Profile no longer exists...
Is there a way to remove this entry? I'm pretty confident that the profile is not a danger, just a nuisance cleanup event...

User's image

Answer

it says sign in as any user that can remove elevated access, not necessarily the user who initially added that account :)

Sign in as a user that can remove elevated access. This can be the same user that was used to elevate access or another Global Administrator with elevated access at root scope.
Use the Remove-AzRoleAssignment command to remove the User Access Administrator role assignment. Azure PowerShellCopy
Remove-AzRoleAssignment -SignInName username@example.com -RoleDefinitionName "User Access Administrator" -Scope "/"
```
   
```

Answer

Hey Andy - Thanks for the support...
Unfortunately, just keep getting different blockers...
Error response - Invalid status code 'forbidden'
User's image

Share via

How to remove a 'dangling' Access Control (IAM) assignment for User Access Administrator?

2 answers