Edit

Can't see list of users or groups when adding permissions in Access Control in the Azure portal

  • Article

This article provides information to an issue in which you can't see list of users or groups when adding permissions in Access Control (IAM) in the Azure portal.

Original product version:   Azure
Original KB number:   4229970

Symptoms

When you try to add permissions in IAM in the Azure portal, you cannot see the list of users or groups.

Cause

This issue occurs because the account that you used to sign in to Azure portal does not have enumeration permission. This account might be a guest user who has been invited to the directory that you are trying to give access to other Azure resources. Even if this guest user is a global administrator, they still will not have enumeration permission.

Resolution

To resolve this issue, use one of the following methods:

Method 1: To allow all guest users enumeration privileges

  1. Sign in to the Azure portal by using Global Administrator.
  2. If applicable, switch to the directory where the guest user was added.
  3. Go to Microsoft Entra ID.
  4. Go to User Settings.
  5. Change the Guest users permissions are limited setting to No, and then select Save.

Method 2: To allow only the one guest user or configure on a per user basis

Note

Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

  1. Open Windows PowerShell.

  2. Run the following cmdlet:

    Import-Module AzureAd

    Make sure that the Azure Active Directory PowerShell for Graph is installed. For more information, see Azure Active Directory PowerShell for Graph.

  3. As a global administrator of the directory where the guest user was added, connect to Azure AD PowerShell and the directory:

    Connect-AzureAD -TenantId 'Tenant_Directory_Id'

    You can get the Tennat ID by looking at your Microsoft Entra ID Properties in the Azure portal.

  4. Run the following cmdlet:

    Set-AzureADUser -ObjectId 'User_Object_Id' -UserType Member

    You can get the users Object ID by looking at the Users Profile page within the Azure portal.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.