Do you have an idea or suggestion based on your experience with Azure Management Groups?

Splitting management group rights from subscription rights

I would like to give an AD group 'Owner' rights on subscriptions below a management group without giving them also the 'owner' rights on the management group itself, as they should only administer subscriptions and not management groups (which is done by another group of admins), which doesn't seem to be possible right now?

Is this something we can use the 'Deny assignments' for in the future? (as in assigning them the 'owner' role, and denying them the 'management group contributor' role for example?

8 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Kees Huizer shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Currently this is not possible as there are no RBAC roles that focus only on subscriptions write capabilities. We created a Management Group Contributor role so that certain users can only have write on the MG scope, but not one focused on subscriptions. This is something we can look at doing.

We are working on Custom RBAC support for management group which will allow you to create your own role with subscription/write.

0 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base