Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Do you have an idea or suggestion based on your experience with Azure Management Groups?

← Azure Management Groups

Allow custom RBAC Definitions at the Management Group Level

The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

226 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Bennett Battistoni shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

46 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Ray Skweres commented  ·   ·  Flag as inappropriate

    Also would like an update on the DataActions/NotDataactions also it is my understanding that this feature is still in preview can you provide a date on this going GA?

  • Antony Gibbs commented  ·   ·  Flag as inappropriate

    Any news on the inability to use DataActions/NotDataActions in roles with Management Group assignable scope.

    Now been nealry two years that we are waiting for this.

  • Minh Trieu commented  ·   ·  Flag as inappropriate

    AssignableScopes does not support more then one management group when defining custom roles using ARM template.

    "error": {
    "code": "RoleDefinitionManagementGroupAssignableScopesLimitExceeded",
    "message": "Updated role definitions must not add more management group assignable scopes."
    }

  • Omer Zubair commented  ·   ·  Flag as inappropriate

    Custom Role : 'DataActions' is Not Supported for a new role definition at management group level.

  • Narendra Padmani commented  ·   ·  Flag as inappropriate

    => Creation of Role with following was successful
    "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/mymgmtgrp"
    ]
    => Assign role to an user shows successful as well at Management Group Level.
    => But user cannot see the role in effect.

    => Deleting same role via powershell kept failing with "NoContect" error.
    => Deleting this role from Azure Portal worked fine.

    created a same role with Assignable Scope at Suscription level and things started working fine.

  • Janke, Joel commented  ·   ·  Flag as inappropriate

    It appears you can create custom roles with an assignable scope at the management group level, however, the management group IAM GUI does not display these scopes. They do inherit down to all sub-level items (Subscriptions,, Resource Groups, and Resources) and show properly in the GUI at those levels. Is this working or not working yet? Partially working?

  • Dennis Kreibich commented  ·   ·  Flag as inappropriate

    @Management Group Team: How is the status here. Some Custom RBAC Roles are partial working with Managment Groups, but not in every subscription and not to 100%. Could you present an update here?

  • Cory Shadden commented  ·   ·  Flag as inappropriate

    I am not sure the official status of this, but when I assign a custom RBAC role at this time to the root management group, I am now able to see it within the portal on all of the subscriptions and child management groups. It seems like they are definitely working on this, but it would be nice to find some official wording or documentation about this.

  • Ganesh Nadarajan commented  ·   ·  Flag as inappropriate

    Under default root management group, i have created root management group & inside that we have 23 sub management group & each sub management group have its own subscription.
    I have created the custom role which i need to apply to all the subscription from root management group to. To achieve this i have created the custom role & below you can see the json file which i have created to achieve this

    {
    "Name": "Custom role name",
    "Id": "00000000-0000-0000-0000-000000000001",
    "IsCustom": true,
    "Description": "role description",
    "Actions": [
    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/ListAccountSas/action",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/*",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Support/*",
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Storage/storageAccounts/*",
    "*/read"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/Root-MGMT"
    ]
    }

    **************************************
    you will not see the permission in management group but when you check the permission of custom role from subscription you can able to see what permission the role have.

    Let me know if you have any questions

  • Steven Scott commented  ·   ·  Flag as inappropriate

    When attempting to add the assignable scope for the Root Mgt group to a custom role, I receive an error that the Role's ID is not found.

    Set-AzRoleDefinition : Cannot find role definition with id 'XXXXXXXX-b864-4ee0-acf3-02f576432070'.

    I've tried setting it at each Mgt Group nested under the root but the same error is returned. Any suggestions?

  • Peter Holdridge commented  ·   ·  Flag as inappropriate

    I am noticing this bug as well: You cannot delete the role after you create it if you set the scope to the management group. You have to delete the management group to delete the role.

  • Cory commented  ·   ·  Flag as inappropriate

    Can we get some additional comments from the Management Group Team as to the official status of this feature at this time? Seems that they have gone dark for the past 2 months and we are having to bumble through this.

← Previous 1 3

Azure Management Groups: New Feature Request

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice