Elevate Access to Root Management Group

Published on Tuesday, July 3, 2018

Management Groups

Recently a new Azure resource type was introduced called Management Groups, which allows users to group Azure Subscriptions under the same Azure AD Directory (aka. Tenant) for ease of access and policy management.

Azure Docs Article: Organize your resources with Azure management groups

Root Management Group

By default all of the subscriptions attached to the Directory (your_organization.onmicrosoft.com) will be under the "Tenant Root Group". However, when you first enable Management Groups you will not have access to the Root Group. To get full Owner access to the group you need to use a Directory Global Admin to assign the Owner role to a user.

This article generically outlines how to elevate access for a Global Administrator. Once you follow the first set of steps you can run the following PowerShell commands to setup your permissions.

Only a Global Administrator will be able to get elevated access.

Owner Role Assignment

Note: This requires AzureRM.Resources Module version 6.1.0 or above

  1. Login to Azure PowerShell using Connect-AzureRmAccount

  2. Verify that you have User Access Administrator permissions

    Get-AzureRmRoleAssignment | 
        where {$_.RoleDefinitionName -eq "User Access Administrator" `
            -and $_.SignInName -eq "<username@example.com>" `
            -and $_.Scope -eq "/"}
  3. Get the "Tenant Root Group" Id property using Get-AzureRmManagementGroup

    It will be of the form /providers/Microsoft.Management/managementGroups/94c40a73-c82f-47f0-8244-aed167ae33a0 where the GUID is the Directory ID of the Azure AD Directory.

  4. Create a new Owner role assignment

    New-AzureRmRoleAssignment `
        -ObjectId $userObjectId `
        -RoleDefinitionName "Owner" `
        -Scope $rootManagementGroupId

Clean Up

Once you have verified access to the Root Management Group, go back to Azure Active Directory and disable the "User Access Administrator" role assignment by setting the directory property to No or running the following script

Remove-AzureRmRoleAssignment `
    -SignInName "<username@example.com>" `
    -RoleDefinitionName "User Access Administrator" `
    -Scope "/"