As the title.
Could we elevate other user (not Global admin) by enabling Access management for Azure resources to manage the root management group to restrict the access right?
If I have to assign the policy to root management group, I know that I can logon as Global admin and elevate the permission (Configure "Access management for Azure resources" as enabled) as a user administrator role to access the whole management group.
But it is too powerful for a user who only need to manage the root management group.
As I have found this article that mentioned the owner role could also assign the policy to the root management group.
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group
Should I only grant the owner role to the user who has to access the root management group without enabling "Access management for Azure resources" for that user?