Azure Management Group - Cannot add subscription if Owner via Security Group

Question

I'm building an Azure Management Group structure where I'm having issues with the add subscription option to a sub-management group where the option is grayed out when Owner role is assigned via and AAD Security group. So in short, does Azure Management groups support permission management via AAD Security groups?

Some details:

• I'm global admin
• The AAD Group is Owner on root management group and inherited down
• On the management group I have assigned an Azure AD (AAD) Security Group the role Owner of which my account is member of. The security group has the option "Azure AD roles can be assigned to the group" set.

I have played around and also assigned my AAD security group the role "Management Group Contributor" without success. I have also added the group on root level so its inerited. If I instead assign my account directly the Owner role on the management group then it works and I can add subscriptions.

I have checked the documentation available and cannot find anything about security groups not being supported.

(Have same question on Stack Overflow)

Answer 1

Hi @EPNAdam ,

Thanks for your update and patience throughout this process.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Answer 2

Hi,

Azure AD security groups are supported for Azure RBAC permissions (role assignments) and Management groups are not exception to that. In order to assign permissions (role assignments) on management group you need either to be owner of the management group or on a management group that is at higher level. In case you want to assign permissions at the Root Management group but you are not owner of it you will have to have owner permissions at the tenant scope. For assigning permissions the built-in User Access Administrator role can also be used instead of owner. To manage management groups (excluding assigning permissions) you need to have Management group contributor role on the management group or a management group on higher level. If you want to move subscription from one management group to another you need to have access (Management group contributor) to both either via direct access or inherited one on higher level. You can check how to gain access if you are Azure AD global administrator to tenant scope here. When you assign access on a management group give it like 5 minutes until that access is available on the below management groups. If you do any operations via portal it is also good to refresh the page.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

MS support proposed to test moving subscriptions using PowerShell as it might be an Azure UI bug. I did a quick test using PowerShell and it works. So, this seem to be a bug and PowerShell is a workaround until it gets fixed.

Answer 4

MS support proposed to test moving subscriptions using PowerShell as it might be an Azure UI bug. I did a quick test using PowerShell and it works. So, this seem to be a bug and PowerShell is a workaround until it gets fixed.