How to elevate access to manage all Azure subscriptions and management groups

Overview

As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory.

Why would you need to elevate your access?

If you are a Global Administrator, there might be times when you want to do the following:

Regain access to an Azure subscription or management group when a user has lost access
Grant another user or yourself access to an Azure subscription or management group
See all Azure subscriptions or management groups in an organization
Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups

This blog post shows the ways that you can elevate your access to all subscriptions and management groups.

Azure portal

Follow these steps to elevate access for a Global Administrator using the Azure portal.

In the navigation list, click Azure Active Directory and then click Properties.

Under Access management for Azure resources, set the toggle to Yes.

When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at the root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available to users who are assigned the Global Administrator role in Azure AD.

When you set the toggle to No, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.

Sign out and sign back in to refresh your access.

You should now have access to all subscriptions and management groups in your directory. You’ll notice that you have been assigned the User Access Administrator role at root scope.