Foreign principals and their pitfalls with IAM role assignment


Owners of a resource in Azure can’t delete the role assignment of an invited guest user, which is a member of the Foreign Principal group in the Identity and Access Management blade. For example, [email protected]. He is an external user of a CSP, namely Partner, which is also in the Foreign Principal group. The CSP is a delegated admin partner of your tenant.


If you have delegated admin partners, and you create for example new subscriptions throughout a CSP portal, those partner will “automatically” have Owner or Contributor or Reader permissions on the subscriptions.

If you now invite John Doe as a guest user in the tenant, an Engineer of the delegated admin partner, which is already a member of the Foreign Principal group of the CSP partner, the permissions in the IAM blade will be broken.

  • The group of the Foreign Principle is managed via the CSPs Microsoft Partner Portal (GDAP Permissions in the Microsoft Partner Portal)
  • Make sure with your partner, that the invited guest user is not a member of the Foreign principal group.


If you encouter such a problem or bug, you have to contact your partner. The partner has to escalate the ticket to Microsoft. Only Microsoft can fix that issue at the moment.

You might also like