Allow custom RBAC Definitions at the Management Group Level

The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

163 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Bennett Battistoni shared this idea · May 29, 2018 · Flag idea as inappropriate… · Admin →

started ·

AdminManagement Group Team (Product Manager, Microsoft Azure) responded · May 30, 2019

Hi Everyone,
I apologize about the delay but Custom RBAC Support is now available in Production. You are able to to create role definitions at the MG scope and assign them to inherited MGs and Subs.

There is a bug that is in the portal where the new custom role is not showing when you are trying to do a role assignment on an inherited child MG/Sub. This should be resolved soon and PowerShell, CLI, and API are all working. I will not do any announcements yet on the availability of the feature until the portal bug is fixed. Once that is fixed we will do blog announcements and I will mark the feature complete here.

Show previous admin responses (5)

started ·

AdminManagement Group Team (Product Manager, Microsoft Azure) responded · Mar 28, 2019

I want to give everyone an update on Management Groups support for Custom RBAC Roles.

We are wrapping up development and testing this week which everything is looking great. Unfortunately, there is a large set of features ahead of us on the backlog for Code Review, Integrations, and Deployments which will cause us to move out the expected GA date to early May. Hopefully, we will be able to get through these last steps quicker than expected and get the feature out as soon as we can.

Any questions please let us know.
Thanks
-Rich

started ·

AdminManagement Group Team (Product Manager, Microsoft Azure) responded · Feb 7, 2019

Hi Everyone,
I wanted to give a status update. We are in the middle of the work to support this and we are trending to have this ready by the end of March.

Thanks
Rich

started ·

AdminManagement Group Team (Product Manager, Microsoft Azure) responded · Dec 14, 2018

Hi Everyone,
We have started work on this feature and expect the Custom RBAC support to be available in the 1st Q of 2019.

Thanks

planned ·

AdminManagement Group Team (Product Manager, Microsoft Azure) responded · Nov 2, 2018

To give everyone an update, we are still looking to implement custom role support as soon as possible. Unfortunately, due to internal changes and challenges we are now looking to deliver this in the December 2018 – January 2019 Timeframe.

Thanks

planned ·

AdminManagement Group Team (Product Manager, Microsoft Azure) responded · Jun 4, 2018

We have a high priority to get Custom RBAC supported on Management Groups. We have this in our backlog and are looking to support this soon after we release GA.

Thanks
-Rich

25 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

Dax Fohl commented · July 9, 2019 1:45 PM · Flag as inappropriate

@chuck there was a bug in the initial preview implementation. A fix for this was rolled out on Friday and the RBAC inheritance should now be working for you.
Trevor commented · July 2, 2019 7:26 PM · Flag as inappropriate

@Chuck - I was having the same problem. Update the Assignable Scopes to BOTH the Management Group and your Subscription. I was then able to use a Blueprint to deploy that custom Role to a Resource Group

In Terraform:

assignable_scopes = [
"/providers/Microsoft.Management/managementGroups/<MGMTGRPID>",
"/subscriptions/<SUBID>",
]
chuck commented · June 22, 2019 11:50 PM · Flag as inappropriate

Used this new feature, but doesn't seem to be working. Created a role definition with read action, set assignablescopes to the management group. Assigned the role at the subscription level. That worked as expected. But the user can't access any sub-resources, like resource groups. Using another account with owner over the subscription, checked the portal IAM section for the resource groups permissions. It shows the role assignment as being inherited. Tried this same test with several different roles/actions, etc. Same results.

Submitted an incident. Waiting on response from MS
Logan commented · June 10, 2019 2:44 PM · Flag as inappropriate

Found the answer, and successfully tested:

$Role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/<management group ID>")
Logan commented · June 10, 2019 2:19 PM · Flag as inappropriate

Same question as the last two comments....how do we set assignable scopes to Tenant Root group or a specific MG?
Bell, Marlo R commented · June 10, 2019 10:18 AM · Flag as inappropriate

Great news as this is cause us pain. I assume, you can just use "/" as the assignable scope for the Root MG.
Anonymous commented · June 2, 2019 8:03 PM · Flag as inappropriate

Great news!
I'd like to try it, but how can I set MG ids in "assignableScopes"?

{ assignableScopes": ["?"] }
Anonymous commented · May 27, 2019 12:51 AM · Flag as inappropriate

Hi, Any update on this request please?
Moses O'Hara commented · May 26, 2019 6:51 PM · Flag as inappropriate

Hi, any update on this; were EOM now?
Devanshu Joshi commented · May 15, 2019 6:20 AM · Flag as inappropriate

Any Update on this request? It's mid-may already.
Moses O'Hara commented · May 14, 2019 9:18 PM · Flag as inappropriate

Hi, is there a GA date for this yet, we're now mid-may and all seems to have gone quite from an update POV?
Dan commented · May 14, 2019 3:18 PM · Flag as inappropriate

The fact that we can't scope to mgmt group scope (or root scope for our tenant as a temporary workaround) is a huge blocker to moving on to significantly more productive work. Within my organisation we have 30-something subscriptions (and ramping up quickly), which translates to a lot of manual overhead when working with our custom roles (modifying assignable scope each time).

Hope this (or some kind of root-scope workaround) is coming soon!
Yonathan D. Duran D. commented · May 14, 2019 2:52 PM · Flag as inappropriate

Hello any update , need this for big migration in my country.
Andrew commented · May 13, 2019 2:46 PM · Flag as inappropriate

Are there any updates on this? It's starting pass early May.
Lester W commented · April 4, 2019 12:49 AM · Flag as inappropriate

How can one get on the Preview?
Oberle, Kenneth (K.) commented · March 20, 2019 4:03 AM · Flag as inappropriate

Are there any updates on this? It's getting to the end of March.
JH commented · March 12, 2019 7:06 AM · Flag as inappropriate

Is this feature still on track? Currently implementing MG, and we are missing custom roles support as well.
Seif Allah Ben Amara commented · March 7, 2019 4:44 AM · Flag as inappropriate

Any update on this MG ?
we would really need it
Stefan commented · February 5, 2019 2:27 AM · Flag as inappropriate

Customers need this feature.
Hicham KADIRI commented · December 13, 2018 4:22 PM · Flag as inappropriate

Hi Az Management Group Team,

Any news about the Custom RBAC Definitions at the Mgmt Grp level ?
I have several customers for which i want to implement a specific RBAC model at the mgmt group level, because they have several dozen of suscriptions and it becomes harder to manage the role assignement cross all subscriptions.

Thank's for your reply

#HK