Share via

Is there any way to assign system-managed identity at management group?

Alvin Leung 171 Reputation points
2022-10-03T05:37:07.377+00:00

Same as title

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
979 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2022-10-03T18:42:15.433+00:00

    @Alvin Leung
    Thank you for your post!

    When it comes to assigning a system-managed identity at the Management Group scope, you should be able to reference our Assign Azure roles using Azure PowerShell documentation to accomplish this.

    Prerequisites:

    To assign roles, you must have:

    • Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.
    • PowerShell in Azure Cloud Shell or Azure PowerShell.
    • The account you use to run the PowerShell command must have the Azure Active Directory Graph Directory.Read.All and Microsoft Graph Directory.Read.All permissions.
    • Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.
    #Get the system-managed identity Object (principal) ID  
#You can also find the Object ID by navigating to the resource with the system-assigned identity (i.e. VM).  
Get-AzADServicePrincipal -ObjectId <String>  

#Select the appropriate role - List the details of a particular role.  
Get-AzRoleDefinition -Name <roleName>  

#Identify the needed scope - Management group scope  
Get-AzManagementGroup  

#Assign role  
New-AzRoleAssignment -ObjectId <String> -RoleDefinitionName <roleName> -Scope /providers/Microsoft.Management/managementGroups/<groupName>

    247098-image.png

    Additional Links:

    Assign a role for a user at a management group scope - Example
    Get-AzADServicePrincipal
    New-AzRoleAssignment
    Scope examples
    Scope and ARM templates

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alistair Ross 7,466 Reputation points Microsoft Employee
    2022-10-03T08:50:56.367+00:00

    Hello @Alvin Leung

    I'm not exactly sure on the question as it can be interpreted at least two ways.

    1. Can you assign permissions to a system managed identity at a management group. Yes, you can assign permissions to users, groups, service principals, user and system assigned managed identities to Management Groups, subscriptions, resource groups and resources.
    2. Can you assign / give a management group a system managed identity. No, a managed identity is assigned to an Azure Resource that performs actions, such as a Virtual Machine getting secrets from Key Vault. A Management group is an organizational container for grouping management groups and subscriptions for assigning policies and permissions.

    kind regards

    Alistair Ross

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.