Recently I was facing an error message while working on new role assignments in Azure. I experienced this error…
…I found more detaIils in the Audit Log of the Azure subscription like this…
At first I didn’t quite realize what it is all about but after a short moment I understood what is going on.
I had a subscription having two owners assigned, additionally there were other RBAC assignments as well inherited from the parent management group assignments…
I tried to remove the service principal…
…which was successfull, but then I tried to remove the User01 as well. Keep in mind other permission were inherited from top of the management groups…
I could not remove the owner permission from the subscription, I was facing the error mentioning in the beginning.
So what is the deal?
Well think about it, how should you control the subscription if there is the last owner removed? A subscription can be moved out from the management group tree and would loose all it’s inherited permissions and then the only way to control / remove the last owner would be if you are Global Administrator for the tenant or a classic administrator (Service Administrator or Co-Administrator) for the subscription. This is clearly state here within Microsoft documentation. Hope this saves some time – happy Azure-ing 
…
Related
