Share via

Could we elevate other user (not Global admin) by enabling Access management for Azure resources to manage the root mangement group to restrict the access right

Walker Chong 41 Reputation points
2020-12-02T08:40:13.587+00:00

As the title.

Could we elevate other user (not Global admin) by enabling Access management for Azure resources to manage the root management group to restrict the access right?

If I have to assign the policy to root management group, I know that I can logon as Global admin and elevate the permission (Configure "Access management for Azure resources" as enabled) as a user administrator role to access the whole management group.

But it is too powerful for a user who only need to manage the root management group.

As I have found this article that mentioned the owner role could also assign the policy to the root management group.
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group

Should I only grant the owner role to the user who has to access the root management group without enabling "Access management for Azure resources" for that user?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
0 comments
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,436 Reputation points
    2020-12-02T16:21:25.333+00:00

    Hello @Walker Chong , as stated in the documentation Azure AD Global Administrators are the only users that can elevate themselves to gain access so you only need to grant the owner (or any other desired) role to the user that is allowed to manage such scope.

    Please let me know if you need more help. If the answer was helpful to you, please accept it it so that other members in the community can benefit from it.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest