![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 71%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
25,247 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
If you're a Global Administrator and Owner in Azure but are unable to manage access to all subscriptions and management groups with a message stating that "Your organization is protected by security defaults," this likely means that Azure AD Security Defaults are enabled. Security defaults are a set of basic security settings that include enforcing multi-factor authentication (MFA) and limiting certain administrative functions, including elevated permissions management.
Here’s why this might affect your ability to manage access and why the "Save" button might be grayed out:
Why Security Defaults Impact Access Management:
1. Role Assignment Restrictions: With security defaults enabled, certain high-privilege actions (such as managing access to subscriptions and management groups) might require stricter controls like multi-factor authentication or specific conditions that may not be satisfied if you're accessing from an untrusted device or location.
2. Conditional Access Policies Conflicting: Even though security defaults provide basic protection, there may also be custom Conditional Access policies in place that further restrict what Global Admins can do.
Steps to Resolve:
1. Confirm MFA is Enabled: Security defaults require all users, including Global Admins, to use multi-factor authentication (MFA). Ensure you have completed MFA enrollment, or check if MFA enforcement is preventing you from saving changes.
- Go to Azure Active Directory > Users.
- Check if MFA is enabled for your account. If not, follow the prompts to complete MFA setup.
2. Check for Conditional Access Policies: Conditional Access policies might be applied that prevent changes to be made in certain conditions (like accessing Azure from a non-secure location or device).
- Go to Azure Active Directory > Security > Conditional Access.
- Review the policies to see if any are restricting your access to manage resources.
3. Elevated Access for Azure Resources: If you have security defaults enabled, ensure that you have elevated access to manage all Azure subscriptions:
- Go to Azure Active Directory > Properties.
- Under Access management for Azure resources, enable the option to allow Global Admins to access all subscriptions.
- Sign out and sign back in to apply the changes.
4. Temporarily Disable Security Defaults (If Allowed): If necessary and you have approval, you can disable Security Defaults to see if it resolves the issue:
- Go to Azure Active Directory > Properties.
- Under Manage Security Defaults, turn off security defaults (if this is allowed by your organization's security policy).
5. Check Role Assignments for Management Groups: Management groups may have specific roles assigned at a higher level that prevent even Global Administrators from making changes.
- Go to Management Groups in the Azure portal.
- Check the Access control (IAM) for the management groups you are having issues with to ensure your account is assigned the correct role.
Notes:
- Security defaults are intended to protect your organization, so consult with your security team before making changes to these settings.
- Conditional Access policies can be more granular, and there may be other policies preventing access from specific IP addresses, devices, or locations.
By reviewing these settings, you should be able to determine why access is restricted and resolve the issue.