Custom Roles at the Management Group Level

Please add the ability to define custom roles for Azure RBAC at the new Management Group level. Would like to be able to create custom roles and set the assignable scope to our root management group so that the role definition is available throughout our tenant.

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

71 votes

Dan M shared this idea · Mar 15, 2018 · Flag idea as inappropriate… · Admin →

planned ·

AdminAzure AD Team (Product Manager, Microsoft Azure) responded · Oct 29, 2018

Just wanted to leave a quick update, we’re continuing to work on this feature and will share details in the near future.

Cheers,
/Stuart and Balaji

Show previous admin responses (1)

16 comments

An error occurred while saving the comment

Arulraj commented · February 20, 2020 4:02 AM · Flag as inappropriate

Any update

Submitting...
Janke, Joel commented · December 16, 2019 3:35 PM · Flag as inappropriate

It appears you can create custom roles with an assignable scope at the management group level, however, the management group IAM GUI does not display these scopes. They do inherit down to all sub-level items (Subscriptions,, Resource Groups, and Resources) and show properly in the GUI at those levels.

Submitting...
Janke, Joel commented · December 16, 2019 3:11 PM · Flag as inappropriate

Is it not time to get an update on this feature request?

Submitting...
Steven Scott commented · August 6, 2019 6:39 AM · Flag as inappropriate

Any update here? I am automating our subscription creation process and need to have this capability.

Submitting...
Lester W commented · June 13, 2019 3:41 AM · Flag as inappropriate

This feature is available NOW (programmatically). In PowerShell, you add a management group as an assignable scope. For example: $Role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/<management group ID>")

Duplicate Feedback of
https://feedback.azure.com/forums/911473-azure-management-groups/suggestions/34391878-allow-custom-rbac-definitions-at-the-management-gr?

Submitting...
Talal Masood commented · June 13, 2019 1:44 AM · Flag as inappropriate

When this will be available please?

Submitting...
Bart Michel commented · May 19, 2019 10:58 PM · Flag as inappropriate

Is there any update yet? we can't use only built-in roles so please get this workin :-)

Submitting...
Simon commented · May 9, 2019 5:43 AM · Flag as inappropriate

Agreed, otherwise management groups are more or less useless if you rely a lot on Custom roles

Submitting...
Charity Shelbourne commented · May 6, 2019 7:12 AM · Flag as inappropriate

Is this still planned? We're interested in doing this as well.

Submitting...
Mitch B. commented · April 3, 2019 4:10 PM · Flag as inappropriate

Any update on this?

Submitting...
JH commented · March 14, 2019 12:04 PM · Flag as inappropriate

Agreed this is needed!
Duplicate of: https://feedback.azure.com/forums/911473-azure-management-groups/suggestions/34391878-allow-custom-rbac-definitions-at-the-management-gr

Submitting...
Dany Contreras commented · March 13, 2019 8:28 AM · Flag as inappropriate

Hello, do you have an update on ETA for availability of custom roles on management groups?

Submitting...
Corey Zwart commented · March 12, 2019 7:19 AM · Flag as inappropriate

Please provide an update Stuart and Balaji... we need to be able to use this functionality as management groups are GA and are being recommended as the best practice.

Submitting...
Adam commented · January 24, 2019 12:46 PM · Flag as inappropriate

Is there an update on this? The last entry is Oct 29th and says that we would get details in the near future

Submitting...
Anonymous commented · October 8, 2018 7:38 AM · Flag as inappropriate

Any new updates, this is essential option for our teams, is there any indication as to when this will be available

Submitting...
Brian Jackett commented · August 1, 2018 6:12 AM · Flag as inappropriate

Any update on this? I see that Management Groups are now GA.

Submitting...