Do you have an idea or suggestion based on your experience with Azure Management Groups?

← Azure Management Groups

Allow custom RBAC Definitions at the Management Group Level

The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

207 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bennett Battistoni shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

41 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Minh Trieu commented  ·   ·  Flag as inappropriate

    AssignableScopes does not support more then one management group when defining custom roles using ARM template.

    "error": {
    "code": "RoleDefinitionManagementGroupAssignableScopesLimitExceeded",
    "message": "Updated role definitions must not add more management group assignable scopes."
    }

  • Omer Zubair commented  ·   ·  Flag as inappropriate

    Custom Role : 'DataActions' is Not Supported for a new role definition at management group level.

  • Narendra Padmani commented  ·   ·  Flag as inappropriate

    => Creation of Role with following was successful
    "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/mymgmtgrp"
    ]
    => Assign role to an user shows successful as well at Management Group Level.
    => But user cannot see the role in effect.

    => Deleting same role via powershell kept failing with "NoContect" error.
    => Deleting this role from Azure Portal worked fine.

    created a same role with Assignable Scope at Suscription level and things started working fine.

  • Joel commented  ·   ·  Flag as inappropriate

    It appears you can create custom roles with an assignable scope at the management group level, however, the management group IAM GUI does not display these scopes. They do inherit down to all sub-level items (Subscriptions,, Resource Groups, and Resources) and show properly in the GUI at those levels. Is this working or not working yet? Partially working?

  • Dennis Kreibich commented  ·   ·  Flag as inappropriate

    @Management Group Team: How is the status here. Some Custom RBAC Roles are partial working with Managment Groups, but not in every subscription and not to 100%. Could you present an update here?

  • Cory Shadden commented  ·   ·  Flag as inappropriate

    I am not sure the official status of this, but when I assign a custom RBAC role at this time to the root management group, I am now able to see it within the portal on all of the subscriptions and child management groups. It seems like they are definitely working on this, but it would be nice to find some official wording or documentation about this.

  • Ganesh Nadarajan commented  ·   ·  Flag as inappropriate

    Under default root management group, i have created root management group & inside that we have 23 sub management group & each sub management group have its own subscription.
    I have created the custom role which i need to apply to all the subscription from root management group to. To achieve this i have created the custom role & below you can see the json file which i have created to achieve this

    {
    "Name": "Custom role name",
    "Id": "00000000-0000-0000-0000-000000000001",
    "IsCustom": true,
    "Description": "role description",
    "Actions": [
    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/ListAccountSas/action",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/*",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Support/*",
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Storage/storageAccounts/*",
    "*/read"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/Root-MGMT"
    ]
    }

    **************************************
    you will not see the permission in management group but when you check the permission of custom role from subscription you can able to see what permission the role have.

    Let me know if you have any questions

  • Steven Scott commented  ·   ·  Flag as inappropriate

    When attempting to add the assignable scope for the Root Mgt group to a custom role, I receive an error that the Role's ID is not found.

    Set-AzRoleDefinition : Cannot find role definition with id 'XXXXXXXX-b864-4ee0-acf3-02f576432070'.

    I've tried setting it at each Mgt Group nested under the root but the same error is returned. Any suggestions?

  • Peter Holdridge commented  ·   ·  Flag as inappropriate

    I am noticing this bug as well: You cannot delete the role after you create it if you set the scope to the management group. You have to delete the management group to delete the role.

  • Cory commented  ·   ·  Flag as inappropriate

    Can we get some additional comments from the Management Group Team as to the official status of this feature at this time? Seems that they have gone dark for the past 2 months and we are having to bumble through this.

  • Francois LEON commented  ·   ·  Flag as inappropriate

    Hi,
    I did some tests today, and the result is not what I've expected.
    I've created a custom RBAC with only "Microsoft.Resources/subscriptions/resourceGroups/write". Now if I assignscope at the MG level (assignablescopes), users do not receive the proper right when I use this custom role at a resource group.
    If I assign at the subcription instead (assignablescopes), everything is fine for the user.
    It seems not fully ready for production according to me.
    Cheers

  • Dax Fohl commented  ·   ·  Flag as inappropriate

    @chuck there was a bug in the initial preview implementation. A fix for this was rolled out on Friday and the RBAC inheritance should now be working for you.

  • Trevor White commented  ·   ·  Flag as inappropriate

    @Chuck - I was having the same problem. Update the Assignable Scopes to BOTH the Management Group and your Subscription. I was then able to use a Blueprint to deploy that custom Role to a Resource Group

    In Terraform:

    assignable_scopes = [
    "/providers/Microsoft.Management/managementGroups/<MGMTGRPID>",
    "/subscriptions/<SUBID>",
    ]

  • chuck commented  ·   ·  Flag as inappropriate

    Used this new feature, but doesn't seem to be working. Created a role definition with read action, set assignablescopes to the management group. Assigned the role at the subscription level. That worked as expected. But the user can't access any sub-resources, like resource groups. Using another account with owner over the subscription, checked the portal IAM section for the resource groups permissions. It shows the role assignment as being inherited. Tried this same test with several different roles/actions, etc. Same results.

    Submitted an incident. Waiting on response from MS

  • Logan commented  ·   ·  Flag as inappropriate

    Found the answer, and successfully tested:

    $Role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/<management group ID>")

← Previous 1 3

Azure Management Groups: New Feature Request

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice