If a user want to assign a policy to the tenant root management group, what role can do this?

Shaojun Qin 100

Global administrator role?

Owner role of the subscription?

Navya 6,115 Reputation points Microsoft Vendor

2024-04-29T10:42:27.6866667+00:00

Hi @Shaojun Qin

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Navya 6,115 Reputation points Microsoft Vendor

2024-05-03T04:21:57.45+00:00

Hi @Shaojun Qin

If the information below has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Stanislav Zhelyazkov 21,851 Reputation points MVP

2024-04-24T13:30:24.9933333+00:00

Hi,

You need Policy Contributor role assigned to the user or the group at the Root Management group.

Management groups are resource at tenant scope and above the subscription scope.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Shaojun Qin 100 Reputation points

2024-04-24T14:14:14.1733333+00:00

So do you mean the Global administrator can also do it?

Stanislav Zhelyazkov 21,851 Reputation points MVP

2024-04-25T06:01:19.97+00:00

Global Administrator is Microsoft Entra (Azure AD) role. In order for Global Administrator to gain User access Administrator (assign RBAC) to Azure on tenant scope you need to follow this procedure afterwards.

Shaojun Qin 100 Reputation points

2024-04-25T07:48:57.3366667+00:00

so which one you would choose Global administrator or owner role?

Stanislav Zhelyazkov 21,851 Reputation points MVP

2024-04-25T08:08:34.7+00:00

I would choose assigning Policy Contributor role on the root management group. Global administrator will give you full access to Microsoft Entra and with the elevation you will have access to assigning permissions on tenant scope of Azure. That is too many permissions an user account should have for the intended purpose of assigning policies. Same with Owner role, it has too many permissions on Azure on whatever scope you assign it.

Shaojun Qin 100 Reputation points

2024-04-25T08:14:48.1166667+00:00

so do you mean that if I am the owner role of the sub, actually, I can assign a policy to the tenant root management group? Is it true?

Stanislav Zhelyazkov 21,851 Reputation points MVP

2024-04-25T08:36:39.4433333+00:00

No,

this is not true. You have Azure tenant scope. This is the highest level/scope for Azure. Beneath the Azure tenant scope you have the Root Management group. Subscriptions are beneath the root management group. If you do not already have access to the root management group you need to become Global administrator, elevate your access, assign Azure RBAC roles to the accounts that you want to the root management group. Remove the elevated access. At the end for security reasons:

Global administrators should not have the option to elevate their access to Azure tenant.

Accounts with global administrators should be limited.

Accounts with ability to assign roles (Owner or user access administrator) roles on the tenant scope and/or root management group scope should be limited.
Sign in to comment

Share via

If a user want to assign a policy to the tenant root management group, what role can do this?

1 answer