92 votesunder review · 9 comments · Azure Active Directory » Privileged Identity Management · Flag idea as inappropriate… · Admin →
We planned our strategy around using Role Groups. This works perfectly with ARM roles, but were dumbstruck when we found other AAD roles do _not_ support assignment to groups. This complicates matters tremendously. With a limit of 2000 role assignments per subscription, this could be a hard block for us.
Is anyone aware of a workaround other than scripting assignments with the API? (Which doesn't avoid the limits issue)
In particular, when an authorized user is logged into the Azure Portal, attempting to access the storage account still produces "Access Denied" errors without any further explanation that the error is due to firewall restrictions (rather than account level privileges).
The previously linked suggestion (20379040) is about moving to another subscription. In this case, I only care about moving (managed disks) to another resource group within the SAME subscription, so this may be less work to implement safely.
While we can, technically, make a copy of the managed disk and re-create the VM in the proper resource group, attach the copied disk, etc etc.. what a pain in the neck, and only possible via PowerShell, not the portal.