What permissions are required to iterate Management Groups (in powershell)

Christopher Lewis 21 Reputation points
2020-07-01T18:59:15.587+00:00

I'm running the Get-AZManagementGroup command using the following: 

Get-AzManagementGroup -GroupName 'RandomGroupName'

and this returns an error:

Get-AzManagementGroup: The client XXX@yyy.com' with object id '<someGuid>' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/RandomGroupName' or the scope is invalid. If access was recently granted, please refresh your credentials.

I currently have "Management Group Contributor" access at one level below the Tenant Root. (we create a group directly under tenant). What I want to do is search all MG's for a name.

What rights to I need to have this call return a "no mg's error" or $null rather than this authorization error.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saurabh Sharma 23,676 Reputation points Microsoft Employee
    2020-07-02T01:29:56.923+00:00

    @Christopher Lewis You need Management Group Reader/Contributor role to access the management group. I able to reproduce this scenario when the user was not assigned Management Group Reader/contributor permissions -
    11184-get-managementgroup.png

    However, it worked for me after assigning Management Group Reader permissions. Also, same results for user having Management Group Contributor permissions.
    Can you please check if the right permissions have been granted to the user account you are using to run the PowerShell cmdlet.

    1. Go to Azure Portal > All services > Management groups and select the respective management group.
      11125-management-groups.png
    2. Click on "details" against the Management Group name
      11107-managementgroup-details.png
    3. Click on "Access Control" and check for respective user under "Role assignments" tab.
      11174-managementgroup-accesscontrol.png

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community. [2]: /api/attachments/11125-management-groups.png?platform=QnA

    3 people found this answer helpful.
  2. Christopher Lewis 21 Reputation points
    2020-07-02T20:34:23.46+00:00

    I have Management Group Contributor at the level "ManagementGroup".

    Your error shows the Scope -> "/providers/Microsoft.Management" but when I run the Get-AzRoleAssignments I see a different scope: 

    PS C:\VSProjects\> Get-AzRoleAssignment -RoleDefinitionName "Management Group Contributor"
RoleAssignmentId   : /providers/Microsoft.Management/managementGroups/65c58e06-XXX/providers/Microsoft.Authorization/roleAssignments/b0a39094-XXX
Scope              : /providers/Microsoft.Management/managementGroups/65c58e06-XXX
DisplayName        : Chris Lewis
SignInName         : xxx
RoleDefinitionName : Management Group Contributor
RoleDefinitionId   : 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c
ObjectId           : edd60c56-XXX
ObjectType         : User
CanDelegate        : False

    Note that the Scope is my MG, not the Tenant. And I don't have access to "/providers/Microsoft.Managment/" per the error.

    Do I need MG Contributor/reader at the Tenant?

  3. sandervv 1 Reputation point
    2021-03-09T09:31:28.143+00:00

    Looks like the command only check tenant first when none managementgroup is specified.
    Maybe this will work for you issue:

    Get-AzManagementGroup -GroupName "group under tenant" -Expand | Select-Object -ExpandProperty Children | Where-Object {$_.displayname -eq "RandomGroupName"}