User Access Role to Change Management Groups Only. Prevent MG or Subscription Changes
In a hierarchy of Management Groups, I would like assign people at a parent Management Group who:
- Have access to all resources in a Subscription
- Cannot create new children Subscriptions or Management Groups
- Can assign new users to their Management Group and Children
Ultimately I want to give assigned MG "admins" the ability to manage users coming and going from Subscriptions and Management Groups, but restrict who in the company has the ability to create new Subscriptions and Management Groups anywhere in the MG heirarchy.
I would also like ensure "users" - via the MG - have the ability to use all the virtual resources of a Subscription they've been given access to, but not create new Management Groups or Subscriptions under their MG or update user permissions giving other people access via the MG they are in.
Is anything like this possible with Management Groups today?
Looking at your 3 items there, the first two can be achieved by using the “Reader” role on the Management Group. This would give the “user” read access to the MG, Sub, and any resources under it. They would not be able to create new MGs under that group or move any MGs/Subs to that group as you need at least “Contributor” access on the new parent MG in a move.
The third request is the real tricky item within Management Groups. There are 2 roles that allow users to assign user access. “Owner” and “User Access Administrator”. Giving a user “User Access Admin” allows that user to assign any role to any individual, including themselves on that assigned resource. For Example, if the user is assigned “Reader" and “User Access Admin” on a parent MG, they could at any time assign themselves “Owner” role. That is why I view “User Access Admin” == “Owner”, because they have that power.
For the subscription creation issue, there is no way to stop users from creating subs in a tenant currently. If it is a Enterprise Agreement, the Subscription Team is working on a feature to stop any personal subscriptions from being created like Pay-As-You-Go or MSDN Subs. I don’t have any timeline for that feature. Management groups handles this as not any user can move items in and out of Groups. This like talks more on move actions: