Do you have an idea or suggestion based on your experience with Azure Management Groups?

← Azure Management Groups

Allow custom RBAC Definitions at the Management Group Level

The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

180 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bennett Battistoni shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminManagement Group Team (Product Manager, Microsoft Azure) responded  · 

Hi Everyone,
I apologize about the delay but Custom RBAC Support is now available in Production. You are able to to create role definitions at the MG scope and assign them to inherited MGs and Subs.

There is a bug that is in the portal where the new custom role is not showing when you are trying to do a role assignment on an inherited child MG/Sub. This should be resolved soon and PowerShell, CLI, and API are all working. I will not do any announcements yet on the availability of the feature until the portal bug is fixed. Once that is fixed we will do blog announcements and I will mark the feature complete here.

Show previous admin responses (5)

31 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Ganesh Nadarajan commented  ·   ·  Flag as inappropriate

    Under default root management group, i have created root management group & inside that we have 23 sub management group & each sub management group have its own subscription.
    I have created the custom role which i need to apply to all the subscription from root management group to. To achieve this i have created the custom role & below you can see the json file which i have created to achieve this

    {
    "Name": "Custom role name",
    "Id": "00000000-0000-0000-0000-000000000001",
    "IsCustom": true,
    "Description": "role description",
    "Actions": [
    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/ListAccountSas/action",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/*",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Support/*",
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Storage/storageAccounts/*",
    "*/read"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/Root-MGMT"
    ]
    }

    **************************************
    you will not see the permission in management group but when you check the permission of custom role from subscription you can able to see what permission the role have.

    Let me know if you have any questions

  • Steven Scott commented  ·   ·  Flag as inappropriate

    When attempting to add the assignable scope for the Root Mgt group to a custom role, I receive an error that the Role's ID is not found.

    Set-AzRoleDefinition : Cannot find role definition with id 'XXXXXXXX-b864-4ee0-acf3-02f576432070'.

    I've tried setting it at each Mgt Group nested under the root but the same error is returned. Any suggestions?

  • Peter Holdridge commented  ·   ·  Flag as inappropriate

    I am noticing this bug as well: You cannot delete the role after you create it if you set the scope to the management group. You have to delete the management group to delete the role.

  • Cory commented  ·   ·  Flag as inappropriate

    Can we get some additional comments from the Management Group Team as to the official status of this feature at this time? Seems that they have gone dark for the past 2 months and we are having to bumble through this.

  • Francois LEON commented  ·   ·  Flag as inappropriate

    Hi,
    I did some tests today, and the result is not what I've expected.
    I've created a custom RBAC with only "Microsoft.Resources/subscriptions/resourceGroups/write". Now if I assignscope at the MG level (assignablescopes), users do not receive the proper right when I use this custom role at a resource group.
    If I assign at the subcription instead (assignablescopes), everything is fine for the user.
    It seems not fully ready for production according to me.
    Cheers

  • Dax Fohl commented  ·   ·  Flag as inappropriate

    @chuck there was a bug in the initial preview implementation. A fix for this was rolled out on Friday and the RBAC inheritance should now be working for you.

  • Trevor White commented  ·   ·  Flag as inappropriate

    @Chuck - I was having the same problem. Update the Assignable Scopes to BOTH the Management Group and your Subscription. I was then able to use a Blueprint to deploy that custom Role to a Resource Group

    In Terraform:

    assignable_scopes = [
    "/providers/Microsoft.Management/managementGroups/<MGMTGRPID>",
    "/subscriptions/<SUBID>",
    ]

  • chuck commented  ·   ·  Flag as inappropriate

    Used this new feature, but doesn't seem to be working. Created a role definition with read action, set assignablescopes to the management group. Assigned the role at the subscription level. That worked as expected. But the user can't access any sub-resources, like resource groups. Using another account with owner over the subscription, checked the portal IAM section for the resource groups permissions. It shows the role assignment as being inherited. Tried this same test with several different roles/actions, etc. Same results.

    Submitted an incident. Waiting on response from MS

  • Logan commented  ·   ·  Flag as inappropriate

    Found the answer, and successfully tested:

    $Role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups/<management group ID>")

  • Logan commented  ·   ·  Flag as inappropriate

    Same question as the last two comments....how do we set assignable scopes to Tenant Root group or a specific MG?

  • Bell, Marlo R commented  ·   ·  Flag as inappropriate

    Great news as this is cause us pain. I assume, you can just use "/" as the assignable scope for the Root MG.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Great news!
    I'd like to try it, but how can I set MG ids in "assignableScopes"?

    { assignableScopes": ["?"] }

  • Moses O'Hara commented  ·   ·  Flag as inappropriate

    Hi, is there a GA date for this yet, we're now mid-may and all seems to have gone quite from an update POV?

  • Dan commented  ·   ·  Flag as inappropriate

    The fact that we can't scope to mgmt group scope (or root scope for our tenant as a temporary workaround) is a huge blocker to moving on to significantly more productive work. Within my organisation we have 30-something subscriptions (and ramping up quickly), which translates to a lot of manual overhead when working with our custom roles (modifying assignable scope each time).

    Hope this (or some kind of root-scope workaround) is coming soon!

← Previous 1

Azure Management Groups: New Feature Request

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice