How can I assign RBAC roles on the Tenant Root Management Group?

Question

How can I assign RBAC roles on the Tenant Root Management Group?

AxD 671

I'd like to assign two of my users to the Contributor role on the Tenant Root Group management group scope, in order for that role assignment to span all my subscriptions.

However, I don't see any option to add role assignments on the Tenant Root Group management group scope.

How can I do this?

Your answer is appreciated.

Accepted answer

0 additional answers

Your answer

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@AxD Thank you for your post and I apologize for the delayed response!

When it comes to assigning users the Contributor role at the Management Group scope, you should be able to follow our Assign Azure roles using Azure PowerShell documentation to accomplish this.

Prerequisites To assign roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.
PowerShell in Azure Cloud Shell or Azure PowerShell.
The account you use to run the PowerShell command must have the Azure Active Directory Graph Directory.Read.All and Microsoft Graph Directory.Read.All permissions.
Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.

#Determine who needs access - Azure AD user
Get-AzADUser -StartsWith &lt;userName&gt;

#Select the appropriate role - List the details of a particular role.
Get-AzRoleDefinition -Name &lt;roleName&gt;

#SIdentify the needed scope - Management group scope
Get-AzManagementGroup

#Assign role
New-AzRoleAssignment -SignInName &lt;emailOrUserprincipalname&gt; -RoleDefinitionName &lt;roleName&gt; -Scope /providers/Microsoft.Management/managementGroups/&lt;groupName&gt;

Additional Links: Assign a role for a user at a management group scope - Example az role assignment CLI Scope examples Scope and ARM templates

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-08-09T16:10:14.127+00:00

@AxD
I just wanted to check in and see if you had any other questions?
AxD 671 Reputation points

2022-08-09T19:53:34.69+00:00

Thank you very much, James, for reaching out to me on my issue!

I was busy today with some other task but will try tomorrow ASAP.

Just to make sure: So I won't be able to edit or inspect such role assignment to the Tenant Root Management group by visiting the Azure portal?
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-08-10T17:29:51.983+00:00
@AxD
Thank you for following up on this!

I didn't realize that I forgot to mention the Azure Portal steps to assign a role at the Management Group scope, so I'll share the steps below.

Navigate to your Azure Portal

In the top search bar, search Management Groups

Select the Management Group (i.e. Tenant Root Group) you want to assign the RBAC role to

Select Access Control (IAM) -> Select Add -> Select Add Role Assignment

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
AxD 671 Reputation points

2022-08-11T09:24:38.293+00:00

Ah, I see now …

Given your valuable information I can now see that I missed to elevate myself to the User Access Administrator role.

That's why I didn't get the Access Control (IAM) menu on the left for this directory item:

Thank you for enlightening me! Your assistance was very helpful to me.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-08-11T15:55:36.737+00:00
@AxD
Thank you for following up on this and I'm glad that I was able to help point you in the right direction! I'll share the elevate access steps below, so others referencing this thread can easily find the solution.

Elevate access for a Global Administrator:

Sign in to the Azure portal or the Azure Active Directory admin center as a Global Administrator. If you are using Azure AD PIM, activate your Global Administrator role assignment.

Open Azure Active Directory.

Under Manage, select Properties.

Under Access management for Azure resources, set the toggle to Yes

Additional Link:
Root management group for each directory

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution. Additionally, feel free to take a survey on the relevant answer, and help us improve by leaving feedback verbatim as well.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-08-12T14:29:45.957+00:00

@AxD
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
AxD 671 Reputation points

2022-08-15T09:23:17.977+00:00

Thank you, James, for getting back on this issue.

Please pardon me; I missed to accept your answer. Did that now :)

Share via

How can I assign RBAC roles on the Tenant Root Management Group?

0 additional answers

Your answer