Own the Tenant Root Group

As I was trying to save some blueprints in Tenant Root Group, I was not able to do the same. I referred Microsoft Docs I came to know that I need some Role Assignments in place to perform the desired actions. But to my dismay, I was not allowed to see the details of the Tenant Root Group.

Details Disabled

Elevating Access

In my plight to have control over the root I came to know that though I was Global Administrator, I did not have the access control over the Tenant Root Group(/). It was logical though as there could be multiple subscriptions under a single tenant so to give an Owner of Subscription control over the root is not advisable.

So for this, I had to Elevate Access for Global Administrator. The steps for the same are summarized below:

  1. Search for Tenant Properties and open it.
Tenant Properties

2. This will open the blade as below have to toggle the Access Management for Azure resources to ‘Yes’.

Do click the save afterwards

Don’t forget to click “Save” before you leave the blade and that’s it, Sign out and sign in again to see the elevated role.

Just the User Access Administrator

Though a point to remember here is that though you will be able to see the details of the Tenant Root group still you will have only the role of User Access Administrator assigned to you. And like in my case I was still not able to save the Blueprints on the root level. For this at least the Contributor role was required. So adding a role assignment, I chose the Owner role for myself as below:

Add the role assignment

After saving the role I could perform the desired actions at the root level.



Azure works on the principle of least privilege and so should every organization too. Only give the role to the user which will just enable him/her for the task in hand. It does make the security posture of the organization more robust. But sometimes you need to take control of the root.

Hope this has helped.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s