The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.205 votes
Custom RBAC is supporting the management groups scope with a few limitations. The MG team and Identity teams are working on removing these limitations but no timeline is available yet.
When using Azure Management Groups, any new management group or subscription that is created is made a default child of the Root management group.
This feature would allow a admin with access to the root management group to select different default group. This group will then act as the landing area for all new management groups and subscriptions that are not created with a parent already selected.14 votes
We are testing a feature that will allow a user with new hierarchy setting permissions on the root MG to be able to set a Default MG. This Default MG will be the parent on all Subscriptions that would currently go under the Root MG.
Planning to be rolled out by end of March 2020
- Don't see your idea?