Unable to add role assignments despite being a Global Administrator."

Madhura Sane 20 Reputation points
2025-05-29T15:37:45.7466667+00:00
  1. I have Global Administrator role in Entra ID.
  2. "Add role assignment" option is disabled at both the Log Analytics Workspace and Subscription levels.
  3. I already tried refreshing the browser, checking your role assignment
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,290 questions
0 comments No comments
{count} votes

Accepted answer
  1. Harshitha Eligeti 4,380 Reputation points Microsoft External Staff Moderator
    2025-05-29T21:18:44.0766667+00:00

    Hello  Madhura Sane

    I hope answer provided by @TP is helpful.

    Additionally, as I understand you have Global admin role assigned for your account for your tenant and you are unable to assign role assignment to your subscription.

    When you try to add IAM assignment the option is disabled.

    If you have a Global admin role assigned, this means you are complete admin in Entra ID within Azure. Entra ID is a directory within Azure. With Global admin permissions you can perform anything within the directory like, created users, deleting users, password resets, registering applications etc.

    If you want to perform anything with respect to subscription or resources in Azure, then you need to have an IAM role assigned. Example roles, Owner, contributor, User access administrator etc.

    You can go through below article to get more information on in-built role in Azure IAM,

    https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

    There are multiple roles within Azure with permission defined that will allow you to perform different actions on multiple resources.

    As explained earlier, Azure roles are completely different from Entra ID roles. Global admin is a role which is part of Entra ID.

    Hope this information helps. Let us know if you have any additional queries. Happy to assist you further.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. TP 123.7K Reputation points Volunteer Moderator
    2025-05-29T19:05:54.4966667+00:00

    Hi,

    From your description it sounds like your user account has not been given permission to add role assignments on the Azure subscription. Below instructions should allow you to elevate your access so that you can assign yourself Owner role at the subscription level.

    Please follow instructions in article below to elevate access:

    Elevate access for a Global Administrator

    https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs#perform-steps-at-root-scope

    Once you have elevated access, sign out and sign-in again for the change to take effect.

    Next navigate to your subscription in Azure portal, then on left click Access control (IAM) blade.

    Click Add -- Add role assignment, next click Privileged administrator roles tab, select Owner, click Next, click Select members, search for and Select your account, click Next, on Conditions tab select Allow user to assign all roles (highly privileged), click Review + assign, Review + assign.

    After adding Owner role assignment, please sign out and back in for the change to take effect.

    After you are finished please remember to toggle the elevated access back to off.

    If something is unclear or you have a question please add a comment below.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.