Elevate access to manage all Azure subscriptions and management groups

As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory. This article describes the ways that you can elevate your access to all subscriptions and management groups.

Note

For information about viewing or deleting personal data, see Azure Data Subject Requests for the GDPR. For more information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.

Why would you need to elevate your access?

If you are a Global Administrator, there might be times when you want to do the following actions:

• Regain access to an Azure subscription or management group when a user has lost access
• Grant another user or yourself access to an Azure subscription or management group
• See all Azure subscriptions or management groups in an organization
• Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups

How does elevated access work?

Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.

When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope (/). This allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.

You should remove this elevated access once you have made the changes you need to make at root scope.

Azure portal

Elevate access for a Global Administrator

Follow these steps to elevate access for a Global Administrator using the Azure portal.

1. Sign in to the Azure portal or the Azure Active Directory admin center as a Global Administrator.

   If you are using Azure AD Privileged Identity Management, activate your Global Administrator role assignment.

2. Open Azure Active Directory.

3. Under Manage, select Properties.

   

4. Under Access management for Azure resources, set the toggle to Yes.

   

   When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available to users who are assigned the Global Administrator role in Azure AD.

   When you set the toggle to No, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.

   Note

   If you're using Privileged Identity Management, deactivating your role assignment does not change the Access management for Azure resources toggle to No. To maintain least privileged access, we recommend that you set this toggle to No before you deactivate your role assignment.

5. Click Save to save your setting.

   This setting is not a global property and applies only to the currently signed in user. You can't elevate access for all members of the Global Administrator role.

6. Sign out and sign back in to refresh your access.

   You should now have access to all subscriptions and management groups in your directory. When you view the Access control (IAM) pane, you'll notice that you have been assigned the User Access Administrator role at root scope.

   

7. Make the changes you need to make at elevated access.

   For information about assigning roles, see Assign Azure roles using the Azure portal. If you are using Privileged Identity Management, see Discover Azure resources to manage or Assign Azure resource roles.

8. Perform the steps in the following section to remove your elevated access.

Remove elevated access

To remove the User Access Administrator role assignment at root scope (/), follow these steps.

1. Sign in as the same user that was used to elevate access.

2. In the navigation list, click Azure Active Directory and then click Properties.

3. Set the Access management for Azure resources toggle back to No. Since this is a per-user setting, you must be signed in as the same user as was used to elevate access.

   If you try to remove the User Access Administrator role assignment on the Access control (IAM) pane, you'll see the following message. To remove the role assignment, you must set the toggle back to No or use Azure PowerShell, Azure CLI, or the REST API.

   

4. Sign out as Global Administrator.

   If you are using Privileged Identity Management, deactivate your Global Administrator role assignment.

   Note

   If you're using Privileged Identity Management, deactivating your role assignment does not change the Access management for Azure resources toggle to No. To maintain least privileged access, we recommend that you set this toggle to No before you deactivate your role assignment.

Azure PowerShell

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

List role assignment at root scope (/)

To list the User Access Administrator role assignment for a user at root scope (/), use the Get-AzRoleAssignment command.

Get-AzRoleAssignment | where {$_.RoleDefinitionName -eq "User Access Administrator" `
  -and $_.SignInName -eq "<username@example.com>" -and $_.Scope -eq "/"}

RoleAssignmentId   : /providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
Scope              : /
DisplayName        : username
SignInName         : username@example.com
RoleDefinitionName : User Access Administrator
RoleDefinitionId   : 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
ObjectId           : 22222222-2222-2222-2222-222222222222
ObjectType         : User
CanDelegate        : False

Remove elevated access

To remove the User Access Administrator role assignment for yourself or another user at root scope (/), follow these steps.

1. Sign in as a user that can remove elevated access. This can be the same user that was used to elevate access or another Global Administrator with elevated access at root scope.

2. Use the Remove-AzRoleAssignment command to remove the User Access Administrator role assignment.

   Remove-AzRoleAssignment -SignInName <username@example.com> `
     -RoleDefinitionName "User Access Administrator" -Scope "/"
   

Azure CLI

Elevate access for a Global Administrator

Use the following basic steps to elevate access for a Global Administrator using the Azure CLI.

1. Use the az rest command to call the elevateAccess endpoint, which grants you the User Access Administrator role at root scope (/).

   az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
   

2. Make the changes you need to make at elevated access.

   For information about assigning roles, see Assign Azure roles using the Azure CLI.

3. Perform the steps in a later section to remove your elevated access.

List role assignment at root scope (/)

To list the User Access Administrator role assignment for a user at root scope (/), use the az role assignment list command.

az role assignment list --role "User Access Administrator" --scope "/"

[
  {
    "canDelegate": null,
    "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111",
    "name": "11111111-1111-1111-1111-111111111111",
    "principalId": "22222222-2222-2222-2222-222222222222",
    "principalName": "username@example.com",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
    "roleDefinitionName": "User Access Administrator",
    "scope": "/",
    "type": "Microsoft.Authorization/roleAssignments"
  }
]

Remove elevated access

To remove the User Access Administrator role assignment for yourself or another user at root scope (/), follow these steps.

1. Sign in as a user that can remove elevated access. This can be the same user that was used to elevate access or another Global Administrator with elevated access at root scope.

2. Use the az role assignment delete command to remove the User Access Administrator role assignment.

   az role assignment delete --assignee username@example.com --role "User Access Administrator" --scope "/"
   

REST API

Prerequisites

You must use the following versions:

• 2015-07-01 or later to list and remove role assignments
• 2016-07-01 or later to elevate access
• 2018-07-01-preview or later to list deny assignments

For more information, see API versions of Azure RBAC REST APIs.

Elevate access for a Global Administrator

Use the following basic steps to elevate access for a Global Administrator using the REST API.

1. Using REST, call elevateAccess, which grants you the User Access Administrator role at root scope (/).

   POST https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01
   

2. Make the changes you need to make at elevated access.

   For information about assigning roles, see Assign Azure roles using the REST API.

3. Perform the steps in a later section to remove your elevated access.

List role assignments at root scope (/)

You can list all of the role assignments for a user at root scope (/).

• Call Role Assignments - List For Scope where {objectIdOfUser} is the object ID of the user whose role assignments you want to retrieve.

  GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectIdOfUser}'
  

List deny assignments at root scope (/)

You can list all of the deny assignments for a user at root scope (/).

• Call GET denyAssignments where {objectIdOfUser} is the object ID of the user whose deny assignments you want to retrieve.

  GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter=gdprExportPrincipalId+eq+'{objectIdOfUser}'
  

Remove elevated access

When you call elevateAccess, you create a role assignment for yourself, so to revoke those privileges you need to remove the User Access Administrator role assignment for yourself at root scope (/).

1. Call Role Definitions - Get where roleName equals User Access Administrator to determine the name ID of the User Access Administrator role.

   GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01&$filter=roleName+eq+'User Access Administrator'
   

   {
     "value": [
       {
         "properties": {
     "roleName": "User Access Administrator",
     "type": "BuiltInRole",
     "description": "Lets you manage user access to Azure resources.",
     "assignableScopes": [
       "/"
     ],
     "permissions": [
       {
         "actions": [
           "*/read",
           "Microsoft.Authorization/*",
           "Microsoft.Support/*"
         ],
         "notActions": []
       }
     ],
     "createdOn": "0001-01-01T08:00:00.0000000Z",
     "updatedOn": "2016-05-31T23:14:04.6964687Z",
     "createdBy": null,
     "updatedBy": null
         },
         "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
         "type": "Microsoft.Authorization/roleDefinitions",
         "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
       }
     ],
     "nextLink": null
   }
   

   Save the ID from the name parameter, in this case 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9.

2. You also need to list the role assignment for the directory administrator at directory scope. List all assignments at directory scope for the principalId of the directory administrator who made the elevate access call. This will list all assignments in the directory for the objectid.

   GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectid}'
   

   Note

   A directory administrator should not have many assignments, if the previous query returns too many assignments, you can also query for all assignments just at directory scope level, then filter the results: GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=atScope()

3. The previous calls return a list of role assignments. Find the role assignment where the scope is "/" and the roleDefinitionId ends with the role name ID you found in step 1 and principalId matches the objectId of the directory administrator.

   Sample role assignment:

   {
     "value": [
       {
         "properties": {
           "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
           "principalId": "{objectID}",
           "scope": "/",
           "createdOn": "2016-08-17T19:21:16.3422480Z",
           "updatedOn": "2016-08-17T19:21:16.3422480Z",
           "createdBy": "22222222-2222-2222-2222-222222222222",
           "updatedBy": "22222222-2222-2222-2222-222222222222"
         },
         "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111",
         "type": "Microsoft.Authorization/roleAssignments",
         "name": "11111111-1111-1111-1111-111111111111"
       }
     ],
     "nextLink": null
   }
   

   Again, save the ID from the name parameter, in this case 11111111-1111-1111-1111-111111111111.

4. Finally, Use the role assignment ID to remove the assignment added by elevateAccess:

   DELETE https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111?api-version=2022-04-01
   

View elevate access log entries in the Directory Activity logs

When access is elevated, an entry is added to the logs. As a Global Administrator in Azure AD, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.

View elevate access log entries using the Azure portal

1. Sign in to the Azure portal as a Global Administrator.

2. Open Monitor > Activity log.

3. Change the Activity list to Directory Activity.

4. Search for the following operation, which signifies the elevate access action.

   Assigns the caller to User Access Administrator role

   

View elevate access log entries using Azure CLI

1. Use the az login command to sign in as Global Administrator.

2. Use the az rest command to make the following call where you will have to filter by a date as shown with the example timestamp and specify a filename where you want the logs to be stored.

   The url calls an API to retrieve the logs in Microsoft.Insights. The output will be saved to your file.

   az rest --url "https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-10T20:00:00Z'" > output.txt
   

3. In the output file, search for elevateAccess.

   The log will resemble the following where you can see the timestamp of when the action occurred and who called it.

     "submissionTimestamp": "2021-08-27T15:42:00.1527942Z",
     "subscriptionId": "",
     "tenantId": "33333333-3333-3333-3333-333333333333"
   },
   {
     "authorization": {
       "action": "Microsoft.Authorization/elevateAccess/action",
       "scope": "/providers/Microsoft.Authorization"
     },
     "caller": "user@example.com",
     "category": {
       "localizedValue": "Administrative",
       "value": "Administrative"
     },
   

Delegate access to a group to view elevate access log entries using Azure CLI

If you want to be able to periodically get the elevate access log entries, you can delegate access to a group and then use Azure CLI.

1. Open Azure Active Directory > Groups.

2. Create a new security group and note the group object ID.

3. Use the az login command to sign in as Global Administrator.

4. Use the az role assignment create command to assign the Reader role to the group who can only read logs at the directory level, which are found at Microsoft/Insights.

   az role assignment create --assignee "{groupId}" --role "Reader" --scope "/providers/Microsoft.Insights"
   

5. Add a user who will read logs to the previously created group.

A user in the group can now periodically run the az rest command to view elevate access log entries.

az rest --url "https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-10T20:00:00Z'" > output.txt

Next steps

• Understand the different roles
• Assign Azure roles using the REST API