The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.224 votes
Custom RBAC is supporting the management groups scope with a few limitations. The MG team and Identity teams are working on removing these limitations but no timeline is available yet.
Right now, there's no way to set Alerts or Alert Rules that trigger when a specific even occurs; or even how to send those logs to a Log Analytics workspace. As such, in Log Analytics workspace, the scope cannot be changed to specify management groups.8 votes
We are working with the Log Analytics team to enable exporting of all activity to a workspace. There you will be able to set alerts on events. Planned to have this available by end of year.
- Don't see your idea?