Could we elevate other user (not Global admin) by enabling Access management for Azure resources to manage the root mangement group to restrict the access right

Walker Chong 41 Reputation points
2020-12-02T08:40:13.587+00:00

As the title.

Could we elevate other user (not Global admin) by enabling Access management for Azure resources to manage the root management group to restrict the access right?

If I have to assign the policy to root management group, I know that I can logon as Global admin and elevate the permission (Configure "Access management for Azure resources" as enabled) as a user administrator role to access the whole management group.

But it is too powerful for a user who only need to manage the root management group.

As I have found this article that mentioned the owner role could also assign the policy to the root management group.
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group

Should I only grant the owner role to the user who has to access the root management group without enabling "Access management for Azure resources" for that user?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,329 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2020-12-02T16:21:25.333+00:00

    Hello @Walker Chong , as stated in the documentation Azure AD Global Administrators are the only users that can elevate themselves to gain access so you only need to grant the owner (or any other desired) role to the user that is allowed to manage such scope.

    Please let me know if you need more help. If the answer was helpful to you, please accept it it so that other members in the community can benefit from it.


0 additional answers

Sort by: Most helpful