Skip to main content
Skip table of contents

How to manually correct CSP RBAC roles in Azure after transfer.


When transferring a CSP Azure plan, Microsoft currently doesn’t remove the old CSP and adds the new CSP in the roles. This has to be changed manually but will be automated in the future. This article will describe how you can do this.


  • A local administrator account on the subscription with the Owner role;

  • Copaco Cloud B.V. is not yet listed as Owner;

  • Subscription has to be transferred to Copaco Cloud B.V.

If your local admin can not access the subscription, you can use elevated admin access to gain access.
Once you activated this you can access ALL resources as admin and add yourself as “owner” before removing Elevated access again.

Getting Started

  1. Open Windows PowerShell as Administrator on your local computer.

  2. Run the following command where “” is your tenant.

    Install-Module -Name Az.Resources -Force -Verbose
    Import-Module -Name Az.Resources -Verbose -MinimumVersion 4.1.1
    Connect-AzAccount -Tenant ""

  3. Login with the local administrator account (not the global reseller account).

  4. Run the following command where “XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX” is your Azure subscription ID, do not change the ObjectId.

    New-AzRoleAssignment -ObjectId "b3132976-b568-4bcd-9528-2f61053d1cce" -RoleDefinitionName "Owner" -Scope "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX" -ObjectType "ForeignGroup"

  5. Repeat step 4 for every subscription that is lacking our roles.

  6. Remove any old CSP roles that are no longer needed on the subscription by selecting the role and clicking Remove.

If you are experiencing issues please contact support or mail us at and we will assist you.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.