IAM role assignment no users listed

Question

IAM role assignment no users listed

Sam H 1

I’m new to Azure, and am only trying to deploy AVD for personal use, but for some reason I am unable to assign roles to any user (member) in IAM.

For example, when trying to add the “Virtual Machine User Login” role to myself (directory Global Admin) at the Resource Group level, I just get the error message “an error occurred, please try again later” (see screenshot attached).

I’ve looked for support, but the only thing related seems to be about relaxing guest user permissions, which I’ve tried, but as expected didn’t fix my issue. Feel like I’m either missing something simple or something has gone wrong.

Any help would be much appreciated, thanks!

Shweta Mathur 30,276 Reputation points Microsoft Employee

2022-12-05T09:09:06.797+00:00

Hi @Sam H ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

2 answers

Your answer

Shweta Mathur 30,276 Reputation points Microsoft Employee

2022-12-05T09:09:06.797+00:00

Hi @Sam H ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta

Answer 1

Michael Durkan 12,226 MVP

Hi

its strange that its not working as you are doing it at Resource Group level which is the recommended method. Can you try and create another user in your Azure AD to see if you can assign the role to them?

Alternatively, have you tried assigning the IAM roles directly on the DAG object under "Application Groups"? Does this give the same error?

If this still gives the same error, try creating a new Resource Group in a different Azure Region and see if you can do an IAM assignment directly on that new RG (without creating any resources)

Hope this helps,

Thanks

Michael Durkan

If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!

JamesTran-MSFT 36,871 Reputation points Microsoft Employee

2022-11-17T15:57:08.797+00:00

@Sam H
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sam H 1 Reputation point

2022-11-17T21:50:54.653+00:00

Thanks for responding @Michael Durkan !

I can’t create users either, I’ve attached a screenshot of the error I get when trying to create one in Azure AD. I get the same thing when trying to create one using Entra.

I have the same issue trying to add the role from the DAG object as I do from the resource group, see attached screenshot.

It seems most (if not all) identity management actions generate an error. I’ve even created a new directory and still get the same result, again despite being a Global Admin.
Sam H 1 Reputation point

2022-11-17T21:56:04.343+00:00

Unfortunately not @JamesTran-MSFT , any help you could offer would be much appreciated!

Answer 2

@Sam H
Thank you for following up on this and for providing more details on your issue!

When it comes to adding a role assignment to a Resource Group or Resource within your Azure subscription, you'll be leveraging Azure role-based access control (Azure RBAC). For your specific situation, your user must have Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner, in order to assign roles. When it comes to you being a Global Administrator, this is strictly related to Azure AD Roles. For more info - How the roles are related.

In order to troubleshoot and resolve your issue, you'll have to check your IAM permissions, either at the Resource Group (AVD) or Resource (AVDPOOL-DAG or HawkAVD) level where you're trying to assign the Virtual Machine User Login role.

From your Resource Group or Resource, select Access Control (IAM).
Select the View my Access button or Role Assignments tab to view your user's permissions
Confirm you're either a User Access Administrator, Owner, or have a role with the /roleAssignments/write permissions permission.

Additional Link:
Assign Azure roles using the Azure portal

If you're still having issues, can you share a screenshot of your IAM permissions (Keeping in mind PII)?
Are you able to assign IAM permissions within different Resource Groups?
Do you own this Subscription or is this a shared subscription?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Sam H 1 Reputation point

2022-11-19T10:01:29.99+00:00

Thanks @JamesTran-MSFT !

The information on role relationships was useful, but I’ve not been able to resolve the issue.

Looking at IAM from my resource group, I have the service administrator role, but not owner or user access administrator. If I attempt to add the role, I get an error (see screenshots below).

This is the same for other resource groups I’ve created as well.

I am the owner of this subscription.
JamesTran-MSFT 36,871 Reputation points Microsoft Employee

2022-11-21T19:06:52.117+00:00

@Sam H
Thank you for the quick follow up on this and for sharing some more info!

Since you have the Service Administrator role and are the owner of the subscription, you should have the appropriate permissions to add additional roles to your resource group/resource. Since your members list is still not populating, I'd recommend working closer with our support engineers to get this issue resolved.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Eliot Cole 71 Reputation points

2025-04-09T18:50:12.1533333+00:00

I think that this MIGHT have something to do with having the Entra ID role of 'Directory Reader' ... not sure, though.

Share via

IAM role assignment no users listed

2 answers

Your answer