How to elevate access to manage all Azure subscriptions and management groups

Overview

As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory. 

Why would you need to elevate your access?

If you are a Global Administrator, there might be times when you want to do the following:

  • Regain access to an Azure subscription or management group when a user has lost access
  • Grant another user or yourself access to an Azure subscription or management group
  • See all Azure subscriptions or management groups in an organization
  • Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups 

This blog post shows the ways that you can elevate your access to all subscriptions and management groups.

Azure portal

Follow these steps to elevate access for a Global Administrator using the Azure portal.

Sign in to the Azure portal or the Azure Active Directory admin center as a Global Administrator.

In the navigation list, click Azure Active Directory and then click Properties.

Under Access management for Azure resources, set the toggle to Yes.

When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at the root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available to users who are assigned the Global Administrator role in Azure AD.

When you set the toggle to No, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.

Sign out and sign back in to refresh your access.

You should now have access to all subscriptions and management groups in your directory. You’ll notice that you have been assigned the User Access Administrator role at root scope.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s