Share via

Entra ID issue

Michael Lauretta 0 Reputation points
2026-06-15T01:52:13.9433333+00:00

Hey everyone. im looking for some guidance within Entra ID i accidentally went from a Global user to a internal user and now every time i log into azure I get token errors and along with it being degraded is there anyway that i can reverse it or do I need to start over

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 13,415 Reputation points Microsoft External Staff Moderator
    2026-06-15T03:33:00.8533333+00:00

    Hello Michael Lauretta,

    This behavior is expected if the account was changed from internal (member) to external/guest or vice‑versa, as it impacts how the user is authenticated in Entra ID.

    When this change happens, the original sign-in context (UPN / identity provider) may no longer match, which leads to token errors while accessing Azure portal.

    If the issue still persists, note that simply changing the UserType back does not fully revert the authentication flow. In such cases, the recommended approach is to:

    • Properly convert the account back to internal, or
    • Recreate the account and reassign roles/permissions

    If this is the only Global Admin account and access is blocked, please let us know

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-15T01:52:24.8+00:00

    Changing a user from Global Administrator to a lower-privileged “internal” role doesn’t require starting over, but it can break access and cause sign-in or token issues until the correct roles and settings are restored.

    Based on the symptoms (token errors when signing in to Azure), the most likely causes and actions are:

    1. Role/permissions issue (lost Global Admin rights)
      If the account no longer has Global Administrator (or another admin role with the required permissions), operations that previously worked can now fail with token or access errors.
      • Ask another Global Administrator in the tenant to:
        1. Sign in to the Microsoft Entra admin center.
        2. Go to Identity → Users → All users.
        3. Open the affected user account.
        4. Reassign the appropriate directory roles (for example, Global Administrator or another required admin role).
      • After the role is restored, sign out of all sessions and sign back in to Azure.
    2. Authentication/token issue (AADSTS50000 and similar)
      If the token errors are of the form AADSTS50000: There was an error issuing a token or an issue with our sign-in service, common causes include password or request configuration issues:
      • If this is a hybrid/federated environment, ensure the password is valid and in sync; if needed, reset the password and sign in again.
      • If the errors occur when calling APIs or using tools that acquire tokens (for example, on-behalf-of flows), verify that the app registration and token request parameters (client ID, scopes, redirect URI, etc.) are still correct and that the account still has consent/permissions.
    3. If the account is the only Global Admin and is now downgraded
      If no other Global Administrator exists to restore the role, the tenant is effectively locked out of admin-level changes. In that case, follow the Microsoft support/data protection path (outside this content) to regain admin access; this does not require recreating the tenant, but does require ownership verification.

    There is no need to “start over” with a new tenant in normal circumstances. Restoring the correct directory role and ensuring the account’s password and token flows are valid should resolve the degraded experience and token errors.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.