Allow custom RBAC Definitions at the Management Group Level
The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

Custom RBAC is supporting the management groups scope with a few limitations. The MG team and Identity teams are working on removing these limitations but no timeline is available yet.
To keep updated please see https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#custom-rbac-role-definition-and-assignment
43 comments
-
Omer Zubair commented
Oh Wow was not aware of that limitation @Minh. thanks. Not sure if 'DataActions' is allowed?
-
Minh Trieu commented
AssignableScopes does not support more then one management group when defining custom roles using ARM template.
"error": {
"code": "RoleDefinitionManagementGroupAssignableScopesLimitExceeded",
"message": "Updated role definitions must not add more management group assignable scopes."
} -
Omer Zubair commented
Powershell for Remove-AzRoleDefinition is unable to remove the Role at Management Group level.
workaround is use Portal GUI
-
Omer Zubair commented
We are unable to create a Custom Role with DataActions in it. e.g storage account
DataAction
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Returns the result of adding blob contentSee the Operations Page
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations -
Omer Zubair commented
Custom Role : 'DataActions' is Not Supported for a new role definition at management group level.
-
Narendra Padmani commented
=> Creation of Role with following was successful
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/mymgmtgrp"
]
=> Assign role to an user shows successful as well at Management Group Level.
=> But user cannot see the role in effect.=> Deleting same role via powershell kept failing with "NoContect" error.
=> Deleting this role from Azure Portal worked fine.created a same role with Assignable Scope at Suscription level and things started working fine.
-
Janke, Joel commented
It appears you can create custom roles with an assignable scope at the management group level, however, the management group IAM GUI does not display these scopes. They do inherit down to all sub-level items (Subscriptions,, Resource Groups, and Resources) and show properly in the GUI at those levels. Is this working or not working yet? Partially working?
-
Janke, Joel commented
Any updates?
-
Elan Shudnow commented
See this blog post for how to get Custom RBAC roles working with Management Groups: https://www.shudnow.net/2019/11/10/azure-management-groups-and-custom-rbac-roles/
-
Dennis Kreibich commented
@Management Group Team: How is the status here. Some Custom RBAC Roles are partial working with Managment Groups, but not in every subscription and not to 100%. Could you present an update here?
-
Cory Shadden commented
I am not sure the official status of this, but when I assign a custom RBAC role at this time to the root management group, I am now able to see it within the portal on all of the subscriptions and child management groups. It seems like they are definitely working on this, but it would be nice to find some official wording or documentation about this.
-
Anonymous commented
Do you have any update regarding the portal bug fixed ?
-
Omer Zubair commented
Thanks @Ganesh
Will try and revert. -
Ganesh Nadarajan commented
Under default root management group, i have created root management group & inside that we have 23 sub management group & each sub management group have its own subscription.
I have created the custom role which i need to apply to all the subscription from root management group to. To achieve this i have created the custom role & below you can see the json file which i have created to achieve this{
"Name": "Custom role name",
"Id": "00000000-0000-0000-0000-000000000001",
"IsCustom": true,
"Description": "role description",
"Actions": [
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/ListAccountSas/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"*/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/Root-MGMT"
]
}**************************************
you will not see the permission in management group but when you check the permission of custom role from subscription you can able to see what permission the role have.Let me know if you have any questions
-
Steven Scott commented
When attempting to add the assignable scope for the Root Mgt group to a custom role, I receive an error that the Role's ID is not found.
Set-AzRoleDefinition : Cannot find role definition with id 'XXXXXXXX-b864-4ee0-acf3-02f576432070'.
I've tried setting it at each Mgt Group nested under the root but the same error is returned. Any suggestions?
-
Peter Holdridge commented
I am noticing this bug as well: You cannot delete the role after you create it if you set the scope to the management group. You have to delete the management group to delete the role.
-
Cory commented
Can we get some additional comments from the Management Group Team as to the official status of this feature at this time? Seems that they have gone dark for the past 2 months and we are having to bumble through this.
-
Francois LEON commented
Hi,
I did some tests today, and the result is not what I've expected.
I've created a custom RBAC with only "Microsoft.Resources/subscriptions/resourceGroups/write". Now if I assignscope at the MG level (assignablescopes), users do not receive the proper right when I use this custom role at a resource group.
If I assign at the subcription instead (assignablescopes), everything is fine for the user.
It seems not fully ready for production according to me.
Cheers -
Dax Fohl commented
@chuck there was a bug in the initial preview implementation. A fix for this was rolled out on Friday and the RBAC inheritance should now be working for you.
-
Trevor White commented
@Chuck - I was having the same problem. Update the Assignable Scopes to BOTH the Management Group and your Subscription. I was then able to use a Blueprint to deploy that custom Role to a Resource Group
In Terraform:
assignable_scopes = [
"/providers/Microsoft.Management/managementGroups/<MGMTGRPID>",
"/subscriptions/<SUBID>",
]