Problem
Owners of a resource in Azure can’t delete the role assignment of an invited guest user, which is a member of the Foreign Principal group in the Identity and Access Management blade. For example, [email protected]. He is an external user of a CSP, namely Partner, which is also in the Foreign Principal group. The CSP is a delegated admin partner of your tenant.
Explanation
If you have delegated admin partners, and you create for example new subscriptions throughout a CSP portal, those partner will “automatically” have Owner or Contributor or Reader permissions on the subscriptions.
If you now invite John Doe as a guest user in the tenant, an Engineer of the delegated admin partner, which is already a member of the Foreign Principal group of the CSP partner, the permissions in the IAM blade will be broken.
- The group of the Foreign Principle is managed via the CSPs Microsoft Partner Portal (GDAP Permissions in the Microsoft Partner Portal)
- Make sure with your partner, that the invited guest user is not a member of the Foreign principal group.
Solution
If you encouter such a problem or bug, you have to contact your partner. The partner has to escalate the ticket to Microsoft. Only Microsoft can fix that issue at the moment.