How to manually correct CSP RBAC roles in Azure after transfer.

Summary

When transferring a CSP Azure plan, Microsoft currently doesn’t remove the old CSP and adds the new CSP in the roles. This has to be changed manually but will be automated in the future. This article will describe how you can do this.

Prerequisites

A local administrator account on the subscription with the Owner role;
Copaco Cloud B.V. is not yet listed as Owner;
Subscription has to be transferred to Copaco Cloud B.V.

If your local admin can not access the subscription, you can use elevated admin access to gain access.
Once you activated this you can access ALL resources as admin and add yourself as “owner” before removing Elevated access again.
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

Getting Started

Open Windows PowerShell as Administrator on your local computer.

Run the following command where “EXAMPLE.onmicrosoft.com” is your tenant.

CODE

Install-Module -Name Az.Resources -Force -Verbose
Import-Module -Name Az.Resources -Verbose -MinimumVersion 4.1.1
Connect-AzAccount -Tenant "EXAMPLE.onmicrosoft.com"

Login with the local administrator account (not the global reseller account).

Run the following command where “XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX” is your Azure subscription ID, do not change the ObjectId.

POWERSHELL

Set-AzContext -SubscriptionId "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
New-AzRoleAssignment -ObjectId "b3132976-b568-4bcd-9528-2f61053d1cce" -RoleDefinitionName "Owner" -Scope "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX" -ObjectType "ForeignGroup"

Repeat step 4 for every subscription that is lacking our roles.
Remove any old CSP roles that are no longer needed on the subscription by selecting the role and clicking Remove.

If you are experiencing issues please contact support or mail us at support@copaco.cloud and we will assist you.