As I was trying to save some blueprints in Tenant Root Group, I was not able to do the same. I referred Microsoft Docs I came to know that I need some Role Assignments in place to perform the desired actions. But to my dismay, I was not allowed to see the details of the Tenant Root Group.
Elevating Access
In my plight to have control over the root I came to know that though I was Global Administrator, I did not have the access control over the Tenant Root Group(/). It was logical though as there could be multiple subscriptions under a single tenant so to give an Owner of Subscription control over the root is not advisable.
So for this, I had to Elevate Access for Global Administrator. The steps for the same are summarized below:
- Search for Tenant Properties and open it.
2. This will open the blade as below have to toggle the Access Management for Azure resources to ‘Yes’.
Don’t forget to click “Save” before you leave the blade and that’s it, Sign out and sign in again to see the elevated role.
Though a point to remember here is that though you will be able to see the details of the Tenant Root group still you will have only the role of User Access Administrator assigned to you. And like in my case I was still not able to save the Blueprints on the root level. For this at least the Contributor role was required. So adding a role assignment, I chose the Owner role for myself as below:
After saving the role I could perform the desired actions at the root level.
Conclusion
Azure works on the principle of least privilege and so should every organization too. Only give the role to the user which will just enable him/her for the task in hand. It does make the security posture of the organization more robust. But sometimes you need to take control of the root.
Hope this has helped.
Also read: UNDERSTANDING TENANT, DIRECTORY, MANAGEMENT GROUP, AND SUBSCRIPTIONS IN AZURE
Into the Cloudverse 