Management Groups Unavailable in Tenant: Limited Account Control and Organization

Question

Management Groups Unavailable in Tenant: Limited Account Control and Organization

Danny Heinrich 0

An issue has emerged in the tenant's account management system, as indicated by the error message: "Management Groups are not enabled in this tenant." Without this essential feature, managing and organizing resources within the tenant becomes a challenging task.

I since yesterday try to figure out how i can access the Group Management. I'm a "Global Administrator" and already granted to "Access management for Azure resources".

Going in Azure to Home > Management Groups > Overview: I see he infinity ring.

Going to Azure to Home > Management Groups > Settings: And hit "Permissions for creating new management groups"

I got the following Error:

The client 'my.name@my.domain' with object id xxxxxxx-9a74fedf03cd' does not have authorization to perform action 'Microsoft.Management/managementGroups/settings/...' over scope '/providers/Microsoft.Management/managementGrou...xxxxxxx-818ccaea25df/settings/default' or the scope is invalid. If access was recently granted, please refresh your credentials.

I hope someone can help me understand what the issue is and point me into the right direction. I found myself lost within the Azure Documentation. Everything I found was already capable of creating Management Groups.

$ az config set core.allow_broker=true
$ az account clear
$ az login
[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "xxxxxxx-818ccaea25df",
    "id": "xxxxxxx-1296f2bc0393",
    "isDefault": true,
    "managedByTenants": [],
    "name": "projectA",
    "state": "Enabled",
    "tenantId": "xxxxxxx-818ccaea25df",
    "user": {
      "name": "my.name@my.domain",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "xxxxxxx-818ccaea25df",
    "id": "xxxxxxx-3ba6acce9e01",
    "isDefault": false,
    "managedByTenants": [],
    "name": "projectB",
    "state": "Enabled",
    "tenantId": "xxxxxxx-818ccaea25df",
    "user": {
      "name": "my.name@my.domain",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "xxxxxxx-818ccaea25df",
    "id": "xxxxxxx-5cf5476a13f8",
    "isDefault": false,
    "managedByTenants": [],
    "name": "projectC",
    "state": "Enabled",
    "tenantId": "xxxxxxx-818ccaea25df",
    "user": {
      "name": "my.name@my.domain",
      "type": "user"
    }
  }
]

$ az account management-group list --no-register
(NotFound) Management Groups are not enabled in this tenant.
Code: NotFound
Message: Management Groups are not enabled in this tenant.

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T07:59:03.35+00:00

Hi, Danny

Global Admin, doesn't not necessarily give you access to Azure resources and Management Groups - try to elevate it, then log out and in and see if you can see the Management Groups and create them.
Danny Heinrich 0 Reputation points

2023-06-22T11:43:28.8733333+00:00

I since yesterday try to figure out how i can access the Group Management. I'm a "Global Administrator" and already granted to "Access management for Azure resources".

@Luke Murray I think thats what I did yesterday, isn't It? Relog etc was done multiple times in multiple browsers and incognito windows without success.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T19:29:06.8633333+00:00

Try adding yourself to the: 'Management Group Contributor' - role and try again.

Can you supply a screenshot of what you see here: https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview
Danny Heinrich 0 Reputation points

2023-06-22T19:33:23.46+00:00

@Luke Murray sure thing.

I tried in AAD but there is no role available like that.

Could you point me where I need to take a look at?

Going in Azure to Home > Management Groups > Overview: I see he infinity ring.
Mirco Marius Leimgruber 0 Reputation points

2023-06-22T19:38:48.57+00:00

Hi all

I've exactly the same problem. I've elevated my user already but now I'm just seeing the infinite ring on the mgmt groups page.

Would be interested in a solution too, many thx for the support.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T19:38:58.56+00:00

The role should be here:

Its not a privileged access role, but a Job function role, but this may not work as it needs to be defined at a Management Group, not a subscription.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T19:47:17.1833333+00:00
Hi, Danny

Can you run the following PowerShell command and let me know the output:

New-AzManagementGroup -GroupName 'Contoso'

We may need to get Microsoft Support involved, but if its just portal bug, that command should work.
Mirco Marius Leimgruber 0 Reputation points

2023-06-22T19:57:46.65+00:00

Short feedback. As soon as I've created a new Mgmt Group it started working again. Now I can see the Mgmt Groups in the Mgmt Group overview again. Thx for the tip creating another mgmt group.
Danny Heinrich 0 Reputation points

2023-06-23T12:53:35.5933333+00:00

@Luke Murray thx. Yeah why ever but this seams to fix the issue in the UI somehow. I'm now able to create/delete these mgmt groups back and fourth.

Thx a lot!

Your answer

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T07:59:03.35+00:00

Hi, Danny

Global Admin, doesn't not necessarily give you access to Azure resources and Management Groups - try to elevate it, then log out and in and see if you can see the Management Groups and create them.
Danny Heinrich 0 Reputation points

2023-06-22T11:43:28.8733333+00:00

I since yesterday try to figure out how i can access the Group Management. I'm a "Global Administrator" and already granted to "Access management for Azure resources".

@Luke Murray I think thats what I did yesterday, isn't It? Relog etc was done multiple times in multiple browsers and incognito windows without success.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T19:29:06.8633333+00:00

Try adding yourself to the: 'Management Group Contributor' - role and try again.

Can you supply a screenshot of what you see here: https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview
Danny Heinrich 0 Reputation points

2023-06-22T19:33:23.46+00:00

@Luke Murray sure thing.

I tried in AAD but there is no role available like that.

Could you point me where I need to take a look at?

Going in Azure to Home > Management Groups > Overview: I see he infinity ring.
Mirco Marius Leimgruber 0 Reputation points

2023-06-22T19:38:48.57+00:00

Hi all

I've exactly the same problem. I've elevated my user already but now I'm just seeing the infinite ring on the mgmt groups page.

Would be interested in a solution too, many thx for the support.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T19:38:58.56+00:00

The role should be here:

Its not a privileged access role, but a Job function role, but this may not work as it needs to be defined at a Management Group, not a subscription.
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-06-22T19:47:17.1833333+00:00

Hi, Danny

Can you run the following PowerShell command and let me know the output:

New-AzManagementGroup -GroupName 'Contoso'

We may need to get Microsoft Support involved, but if its just portal bug, that command should work.
Mirco Marius Leimgruber 0 Reputation points

2023-06-22T19:57:46.65+00:00

Short feedback. As soon as I've created a new Mgmt Group it started working again. Now I can see the Mgmt Groups in the Mgmt Group overview again. Thx for the tip creating another mgmt group.
Danny Heinrich 0 Reputation points

2023-06-23T12:53:35.5933333+00:00

@Luke Murray thx. Yeah why ever but this seams to fix the issue in the UI somehow. I'm now able to create/delete these mgmt groups back and fourth.

Thx a lot!

Share via

Management Groups Unavailable in Tenant: Limited Account Control and Organization

Your answer