Change the default behavior of "Guest user access restrictions (Preview)"
With the introduction of this new feature it's not possible anymore for Guest Accounts to administer RBAC for Subscriptions, Resource Groups or Resources that they were administering before the change due to the fact that they are owner of the resource.
Even without the possibility to browse the content of AD and with some limitations (e.g. Application Identities) an external Guest Account was able to provide access to owned Azure resources. With the introduction of "Guest user access restrictions (Preview)" this is not possible anymore and when a Guest Account click the"Add Role Assignment" button a generic error appears.
Same problem (but different error) when RBAC is administered with Azure CLI.
It seems that the only way to fix these problems are:
- Change the UserType of the external Account from Guest to Member (via PowerShell)
- Change the default option of the "Guest user access restrictions (Preview)" to the less restrictive one ("Guest users have the same access as members (Less Restrictive)")
However, this is not a practical approach for partners and consultants that are administering Azure Resources for their customers.
(This problem was verified directly with MS Support after opening a ticket)