Share via

Why cant group members operate the management group?

Colin Jochum 20 Reputation points
2023-06-23T11:55:40.2166667+00:00

Hello together!

Problem Statement & Setup

I have a management group which has a single Group called "OwnerGroup" assigned to it. The group contains a single member called Peter. The group is assigned to the management group with the Owner role. There are no other users or anything else assigned to the management group! The user which is initially assigned when creating the management group has been removed.

The problem now with this IAM configuration, it is not possible to do certain operations on the management group like "Create child group here" or "Add subscription here". Operations like renaming the management group, accessing the management group still work fine.ManagementGroup-Question01

ManagementGroup-Question02

The problem is solved when I add the user object (Peter) directly as Owner to the management group. Now the mentioned operation work fine for Peter.

Shouldn't it be the same if either a user is directly assigned as owner to the management group or when a group with the user as member is assigned as owner to the management group?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. JamesTran-MSFT 37,211 Reputation points Microsoft Employee Moderator
    2023-06-26T21:33:20.99+00:00

    @Colin Jochum

    Thank you for your post! To ensure I clearly understand your issue, I'll share a summary of it below along with my findings.

    Summary:

    You have an Azure AD Group named OwnerGroup, the OwnerGroup contains a single user and is assigned to the Management Group with the Owner RBAC role.

    Issue:

    • When the single user is assigned to this OwnerGroup - they aren't able to perform certain operations such as "Create child group here" or "Add subscription here" but renaming and accessing the management group work as expected.
    • When the single user is removed from the Azure AD Group and is assigned the Owner role directly at the Management Group scope, everything is working as expected.

    Findings:

    When trying to reproduce your issue I noticed that both my Azure AD Group with the Owner role assigned at the Management Group scope, and my user with the Owner role assigned to the same scope didn't run into any issues when it came to creating child groups or adding a subscription to the management group.

    User's image

    Troubleshooting:

    To hopefully help point you in the right direction or resolve your issue:

    • After you assign your user to the OwnerGroup, can force a refresh of your role assignment by signing out and signing in or refreshing the page? In some instances, it can take up to 10 minutes for role assignment changes to take effect. For more info.
    • If refreshing your role assignment doesn't help, can you navigate to your Management Groups IAM tab and check your user's and Azure AD Group's access, similar to what's seen in my screenshot above.

    I hope this helps!

    If you're still having issues, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.