Need ability to block inheritance at Management Group level. This is keep access set at root from flowing down within special sensitive environments.7 votes
At this time we are not planning on introducing and “non-inheriting” permissions or capabilities.
I am going to leave this item marked as unplanned so that voting can still happen on the request.
In Management Groups
- Adding a subscription to a management group.
Replace dropdown with a view so you can select multiple subscriptions and also see to which MG a subscription belongs.
Also filter by MG group there and also view all subscriptions that does not belong to a MG currently.6 votes
We are working closely with the UI design team to develop a better hierarchy selection tool. This will be a standard view that can be used across the portal. I don’t have a timeline yet that I can share.
It would be good to be able to set a spending limit on a Management group that all subscriptions inherit when this limit is reached the subscription is disabled.3 votes
We are in discussions with the cost management team to see if this capability can be done and when. Nothing is planned at this time.
Large organization with complex RBAC model needs ability for Management Groups to go more than 6 levels deep. There is no ideal number, but perhaps 10-15 would get us the flexibility we need?2 votes
At this time we do not have plans to increase the hierarchy depth past 6 levels.
If we receive large volume of feedback on this from customers we will re-evaluate.
I believe that my request or idea is similar to the the topic "Splitting management group rights from subscription rights".
I understand that an user with the role of Account and/or Service Admin can cancel or transfer an Azure subscription. This action can cause a business continuity impact and I want to restrict this capability under the "Four Eyes Principle" or "Segregation of Duties". Is it possible? Currently I think that this feature is not available, thus making the entire designed RBAC model at the lower scopes potentially useless.2 votes
Thanks for the feedback. Account / Service Admins are classic administration roles that are outside of the ARM RBAC Model. They have equivalent RBAC roles like “Owner”. Management Groups are ARM Resources which means they do not look or govern the classic roles.
While we have no plans to support governing classic roles, I will keep this item open as unplanned.
- Don't see your idea?