I have an Azure account with a user "rmuser" that I've created specifically for automated shutdowns of VMs. That user's password expired so VMs stopped being shut down. I've manually changed the password so the account accepts logins again. I found this and started working through it.
In that process, instead of Select-AzureSubscription, which I couldn't get to accept the subscription ID, I used Add-AzureAccount after which Get-AzureSubscription showed I was working with the correct subscription. I had to provide the credentials for my own account since that's what the subscription is under, however I can't use this account for 'Connect-MsolService' because it's one created elsewhere, and though I don't understand it I'm aware the account is treated differently from one created in Azure.
To get the credential for 'Connect-MsolService' I gave the rmuser account name and password when prompted by Get-Credential and got no error when doing Connect-MsolService. So I'm in the right AD, and that user has the Global Administrator role. However, if I call Set-MsolUser I get an error Set-msoluser : Access Denied. You do not have permissions to call this cmdlet.
I'm running Powershell explicitly as administrator. I've read that the error can be caused by the specified username not being found so I've confirmed with Get-MSOLUser that the user is found. I've also tried just changing the Department field in case there's an issue specifically with the PasswordNeverExpires field. I've read elsewhere that execution policy may be an issue, so I've set that to unrestricted. I'm somewhat stumped as to what to do next. Does anyone know what's going on and where to go from here?
Best Answer
According to your description, I test in my lab, I get same error log if my Azure AD user does not have Global administrator directory role.
You could check the permission on new Azure Portal. Find it
Azure Active Directory-->Users and Groups-->All Users-->Your User-->Directory role.