Troubleshooting

The behaviors users most often question on the Role Assignments page, and what to check when something looks wrong.

A user I expected to see isn't in the Principals list

Three things to check, in order:

1. If the missing identity is a service principal, confirm Service Principal is selected in the Principal Type filter. Service principals are excluded from the default view.
2. Confirm the user actually has at least one role assignment in the selected scan. Principals with no assignments at all do not appear here. If access was added recently, switch the Scan picker to a more recent scan, or wait for the next scan to complete.
3. If the user only has access via group membership, group resolutions may still be cold immediately after a scan. Reload after a short wait.

My filter combination shows zero principals

Filters use AND across categories, so adding a fourth filter is often what empties the list. Try removing one filter at a time. The Source filter is a common culprit: if you set it to Direct while looking at access that arrived only via groups, no one will match.

The badge counts don't match the cards I see in the panel

View in Explorer is missing on a card

Some assignment scopes (typically management groups) don't have a direct counterpart in the Resource Explorer. Rather than render a broken link, the button is hidden on those cards. The assignment information itself is still complete.

Why is a user listed who left the company?

The page reflects Azure RBAC at the time of the selected scan. If the role assignment hasn't been removed from Azure, it will appear here even if the underlying identity is disabled. Treat this as a signal to clean up the assignment in Azure AD. The user's presence on the page is the audit working as intended.