Error enabling "Require write permissions for creating new management groups"

Ioannis Pantzis 21 Reputation points

I want to enable the hierarchy protection in an Azure AD Tenant, after enabling the Root Management Group.

At the "Permissions for creating new management groups" setting, when I click the button to enable the "Require write permissions for creating new management groups" option, I keep getting the error message:

"The client ## with object id ## does not have authorization to perform action 'Microsoft.Management/managementGroups/settings/write' over scope '/providers/Microsoft.Management/managementGroups/##/settings/default' or the scope is invalid. If access was recently granted, please refresh your credentials."

I use the Global AD Administrator user, and I have also added this user to the 'Management Group Reader', 'Management Group Contributor' and 'User Access Administrator' in the Root Management Group IAM.

Am I missing anything?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,499 questions
0 comments No comments
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,601 Reputation points

    Hello @ypan,

    Thanks for reaching out.

    The Microsoft.Management/managementgroups/settings/write operation available in the Azure built-in role Hierarchy Settings Administrator.

    Can you verify if you have assigned user with "Hierarchy Settings Administrator" in the Root Management Group IAM also make sure you had elevated Azure AD Global Administrator account as the User Access Administrator role to the Root management group as detailed here.

    If you have already setup these roles then you must see your user account displayed as shown below when you go your Root Management Group IAM blade. Hope this helps.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Ioannis Pantzis 21 Reputation points

    Thank you @sikumars-msft, this was exactly the problem.
    Once I added the 'Hierarchy Settings Administrator' role, I could enable the hierarchy protection.
    However, this is not mentioned in the documentation, as a prerequisite to enable hierarchy protection, it would be good to have it added.

    Thanks again,


  2. Ioannis Pantzis 21 Reputation points

    Indeed, I now see that the Hierarchy Settings Administrator is mentioned; probably I didn't make the connection when I read it, or I was expecting it to be mentioned as a pre-requisite in the "Set default management group in portal" section.

    0 comments No comments

  3. Maximilian Palm 1 Reputation point

    I had the same issue and this post solved it. I was the one who enabled management groups for the Azure AD tenant, so I didn't expect that I'd need to assign myself additional roles to make changes to them.

    0 comments No comments