Do you have an idea or suggestion based on your experience with Azure Management Groups?

Restrict Account and Service Admin rights for cancelling a subscription

I believe that my request or idea is similar to the the topic "Splitting management group rights from subscription rights".

I understand that an user with the role of Account and/or Service Admin can cancel or transfer an Azure subscription. This action can cause a business continuity impact and I want to restrict this capability under the "Four Eyes Principle" or "Segregation of Duties". Is it possible? Currently I think that this feature is not available, thus making the entire designed RBAC model at the lower scopes potentially useless.

2 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Salvatore ILardo shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Thanks for the feedback. Account / Service Admins are classic administration roles that are outside of the ARM RBAC Model. They have equivalent RBAC roles like “Owner”. Management Groups are ARM Resources which means they do not look or govern the classic roles.

While we have no plans to support governing classic roles, I will keep this item open as unplanned.

Learn more about Classic Roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles

0 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base