Error enabling "Require write permissions for creating new management groups"

Ioannis Pantzis 21 Reputation points
2022-02-14T21:16:48.76+00:00

I want to enable the hierarchy protection in an Azure AD Tenant, after enabling the Root Management Group.

At the "Permissions for creating new management groups" setting, when I click the button to enable the "Require write permissions for creating new management groups" option, I keep getting the error message:

"The client ## with object id ## does not have authorization to perform action 'Microsoft.Management/managementGroups/settings/write' over scope '/providers/Microsoft.Management/managementGroups/##/settings/default' or the scope is invalid. If access was recently granted, please refresh your credentials."

I use the Global AD Administrator user, and I have also added this user to the 'Management Group Reader', 'Management Group Contributor' and 'User Access Administrator' in the Root Management Group IAM.

Am I missing anything?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,610 questions
Accepted answer
  1. Siva-kumar-selvaraj 15,156 Reputation points
    2022-02-16T18:24:59.41+00:00

    Hello @ypan,

    Thanks for reaching out.

    The Microsoft.Management/managementgroups/settings/write operation available in the Azure built-in role Hierarchy Settings Administrator.

    Can you verify if you have assigned user with "Hierarchy Settings Administrator" in the Root Management Group IAM also make sure you had elevated Azure AD Global Administrator account as the User Access Administrator role to the Root management group as detailed here.

    If you have already setup these roles then you must see your user account displayed as shown below when you go your Root Management Group IAM blade. Hope this helps.

    175076-image.png

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ioannis Pantzis 21 Reputation points
    2022-02-20T21:58:30.123+00:00

    Thank you @sikumars-msft, this was exactly the problem.
    Once I added the 'Hierarchy Settings Administrator' role, I could enable the hierarchy protection.
    However, this is not mentioned in the documentation, as a prerequisite to enable hierarchy protection, it would be good to have it added.

    Thanks again,

    Yannis

  2. Ioannis Pantzis 21 Reputation points
    2022-02-21T23:38:55.427+00:00

    Indeed, I now see that the Hierarchy Settings Administrator is mentioned; probably I didn't make the connection when I read it, or I was expecting it to be mentioned as a pre-requisite in the "Set default management group in portal" section.

  3. Maximilian Palm 1 Reputation point
    2022-03-18T12:08:35.217+00:00

    I had the same issue and this post solved it. I was the one who enabled management groups for the Azure AD tenant, so I didn't expect that I'd need to assign myself additional roles to make changes to them.