Allow custom RBAC Definitions at the Management Group Level
The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.
Custom RBAC is supporting the management groups scope with a few limitations. The MG team and Identity teams are working on removing these limitations but no timeline is available yet.
Minh Trieu commented
AssignableScopes does not support more then one management group when defining custom roles using ARM template.
"message": "Updated role definitions must not add more management group assignable scopes."
Powershell for Remove-AzRoleDefinition is unable to remove the Role at Management Group level.
workaround is use Portal GUI
Custom Role : 'DataActions' is Not Supported for a new role definition at management group level.
Narendra Padmani commented
=> Creation of Role with following was successful
=> Assign role to an user shows successful as well at Management Group Level.
=> But user cannot see the role in effect.
=> Deleting same role via powershell kept failing with "NoContect" error.
=> Deleting this role from Azure Portal worked fine.
created a same role with Assignable Scope at Suscription level and things started working fine.
It appears you can create custom roles with an assignable scope at the management group level, however, the management group IAM GUI does not display these scopes. They do inherit down to all sub-level items (Subscriptions,, Resource Groups, and Resources) and show properly in the GUI at those levels. Is this working or not working yet? Partially working?
Elan Shudnow commented
See this blog post for how to get Custom RBAC roles working with Management Groups: https://www.shudnow.net/2019/11/10/azure-management-groups-and-custom-rbac-roles/
Dennis Kreibich commented
@Management Group Team: How is the status here. Some Custom RBAC Roles are partial working with Managment Groups, but not in every subscription and not to 100%. Could you present an update here?
Cory Shadden commented
I am not sure the official status of this, but when I assign a custom RBAC role at this time to the root management group, I am now able to see it within the portal on all of the subscriptions and child management groups. It seems like they are definitely working on this, but it would be nice to find some official wording or documentation about this.
Do you have any update regarding the portal bug fixed ?
Will try and revert.
Ganesh Nadarajan commented
Under default root management group, i have created root management group & inside that we have 23 sub management group & each sub management group have its own subscription.
I have created the custom role which i need to apply to all the subscription from root management group to. To achieve this i have created the custom role & below you can see the json file which i have created to achieve this
"Name": "Custom role name",
"Description": "role description",
you will not see the permission in management group but when you check the permission of custom role from subscription you can able to see what permission the role have.
Let me know if you have any questions
Steven Scott commented
When attempting to add the assignable scope for the Root Mgt group to a custom role, I receive an error that the Role's ID is not found.
Set-AzRoleDefinition : Cannot find role definition with id 'XXXXXXXX-b864-4ee0-acf3-02f576432070'.
I've tried setting it at each Mgt Group nested under the root but the same error is returned. Any suggestions?
Peter Holdridge commented
I am noticing this bug as well: You cannot delete the role after you create it if you set the scope to the management group. You have to delete the management group to delete the role.
Can we get some additional comments from the Management Group Team as to the official status of this feature at this time? Seems that they have gone dark for the past 2 months and we are having to bumble through this.
Francois LEON commented
I did some tests today, and the result is not what I've expected.
I've created a custom RBAC with only "Microsoft.Resources/subscriptions/resourceGroups/write". Now if I assignscope at the MG level (assignablescopes), users do not receive the proper right when I use this custom role at a resource group.
If I assign at the subcription instead (assignablescopes), everything is fine for the user.
It seems not fully ready for production according to me.
Dax Fohl commented
@chuck there was a bug in the initial preview implementation. A fix for this was rolled out on Friday and the RBAC inheritance should now be working for you.
Trevor White commented
@Chuck - I was having the same problem. Update the Assignable Scopes to BOTH the Management Group and your Subscription. I was then able to use a Blueprint to deploy that custom Role to a Resource Group
assignable_scopes = [
Used this new feature, but doesn't seem to be working. Created a role definition with read action, set assignablescopes to the management group. Assigned the role at the subscription level. That worked as expected. But the user can't access any sub-resources, like resource groups. Using another account with owner over the subscription, checked the portal IAM section for the resource groups permissions. It shows the role assignment as being inherited. Tried this same test with several different roles/actions, etc. Same results.
Submitted an incident. Waiting on response from MS
Found the answer, and successfully tested:
$Role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/<management group ID>")