Skip to content

Commit 571bcab

Browse files
Merge pull request #212571 from rolyon/rolyon-rbac-troubleshooting-managed-identities-group
[Azure RBAC] Troubleshooting role assignments changes for managed identities and groups
2 parents ae2c330 + 6cc09e1 commit 571bcab

File tree

1 file changed

+12
-4
lines changed

1 file changed

+12
-4
lines changed

articles/role-based-access-control/troubleshooting.md

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ ms.service: role-based-access-control
99
ms.workload: identity
1010
ms.tgt_pltfrm: na
1111
ms.topic: troubleshooting
12-
ms.date: 09/13/2022
12+
ms.date: 09/26/2022
1313
ms.author: rolyon
1414
ms.custom: seohack1, devx-track-azurecli, devx-track-azurepowershell
1515
---
@@ -244,18 +244,26 @@ After you move a resource, you must re-create the role assignment. Eventually, t
244244

245245
### Symptom - Role assignment changes are not being detected
246246

247-
You recently added or updated a role assignment, but the changes are not being detected.
247+
You recently added or updated a role assignment, but the changes are not being detected. You might see the message `Status: 401 (Unauthorized)`.
248248

249-
**Cause**
249+
**Cause 1**
250250

251251
Azure Resource Manager sometimes caches configurations and data to improve performance. When you assign roles or remove role assignments, it can take up to 30 minutes for changes to take effect.
252252

253-
**Solution**
253+
**Solution 1**
254254

255255
If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.
256256

257257
If you are add or remove a role assignment at management group scope and the role has `DataActions`, the access on the data plane might not be updated for several hours. This applies only to management group scope and the data plane.
258258

259+
**Cause 2**
260+
261+
You added managed identities to a group and assigned a role to that group. The back-end services for managed identities maintain a cache per resource URI for around 24 hours.
262+
263+
**Solution 2**
264+
265+
It can take several hours for changes to a managed identity's group or role membership to take effect. For more information, see [Limitation of using managed identities for authorization](../active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).
266+
259267
## Custom roles
260268

261269
### Symptom - Unable to update a custom role

0 commit comments

Comments
 (0)