{"id":4977,"date":"2024-01-04T10:11:47","date_gmt":"2024-01-04T18:11:47","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4977"},"modified":"2024-01-04T10:11:49","modified_gmt":"2024-01-04T18:11:49","slug":"how-to-elevate-access-to-manage-root-permissions-on-azure-subscriptions","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4977","title":{"rendered":"How to Elevate Access to Manage Root Permissions on Azure Subscriptions"},"content":{"rendered":"\n<p>As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory. This article describes the ways that you can elevate your access to all subscriptions and management groups.<\/p>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>For information about viewing or deleting personal data, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/compliance\/gdpr-dsr-azure\">Azure Data Subject Requests for the GDPR<\/a>. For more information about GDPR, see the&nbsp;<a href=\"https:\/\/www.microsoft.com\/trust-center\/privacy\/gdpr-overview\">GDPR section of the Microsoft Trust Center<\/a>&nbsp;and the&nbsp;<a href=\"https:\/\/servicetrust.microsoft.com\/ViewPage\/GDPRGetStarted\">GDPR section of the Service Trust portal<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin#why-would-you-need-to-elevate-your-access\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-would-you-need-to-elevate-your-access\">Why would you need to elevate your access?<\/h2>\n\n\n\n<p>If you are a Global Administrator, there might be times when you want to do the following actions:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Regain access to an Azure subscription or management group when a user has lost access<\/li><li>Grant another user or yourself access to an Azure subscription or management group<\/li><li>See all Azure subscriptions or management groups in an organization<\/li><li>Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin#how-does-elevated-access-work\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-does-elevated-access-work\">How does elevated access work?<\/h2>\n\n\n\n<p>Microsoft Entra ID and Azure resources are secured independently from one another. That is, Microsoft Entra role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Microsoft Entra ID. However, if you are a&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/roles\/permissions-reference#global-administrator\">Global Administrator<\/a>&nbsp;in Microsoft Entra ID, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don&#8217;t have access to Azure\u202fsubscription resources, such as virtual machines or storage accounts, and\u202fyou\u202fwant to use your Global Administrator privilege to gain access to those resources.<\/p>\n\n\n\n<p>When you elevate your access, you will be assigned the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/built-in-roles#user-access-administrator\">User Access Administrator<\/a>&nbsp;role in Azure at root scope (<code>\/<\/code>).\u202fThis allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.<\/p>\n\n\n\n<p>You should remove this elevated access once you have made the changes you need to make at root scope.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/elevate-access-global-admin\/elevate-access.png\" alt=\"Elevate access\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin#azure-portal\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"azure-portal\">Azure portal<\/h2>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin#elevate-access-for-a-global-administrator\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"elevate-access-for-a-global-administrator\">Elevate access for a Global Administrator<\/h3>\n\n\n\n<p>Follow these steps to elevate access for a Global Administrator using the Azure portal.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in to the\u00a0<a href=\"https:\/\/portal.azure.com\/\">Azure portal<\/a>\u00a0as a Global Administrator.If you are using Microsoft Entra Privileged Identity Management,\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/privileged-identity-management\/pim-how-to-activate-role\">activate your Global Administrator role assignment<\/a>.<\/li><li>Open\u00a0<strong>Microsoft Entra ID<\/strong>.<\/li><li>Under\u00a0<strong>Manage<\/strong>, select\u00a0<strong>Properties<\/strong>.<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/elevate-access-global-admin\/azure-active-directory-properties.png\" alt=\"Select Properties for Microsoft Entra properties - screenshot\"><\/li><li>Under\u00a0<strong>Access management for Azure resources<\/strong>, set the toggle to\u00a0<strong>Yes<\/strong>.<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/elevate-access-global-admin\/aad-properties-global-admin-setting.png\" alt=\"Access management for Azure resources - screenshot\"><\/li><li>When you set the toggle to\u00a0<strong>Yes<\/strong>, you are assigned the User Access Administrator role in Azure RBAC at root scope (\/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Microsoft Entra directory. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID.When you set the toggle to\u00a0<strong>No<\/strong>, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Microsoft Entra directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.\u00a0NoteIf you&#8217;re using\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/privileged-identity-management\/pim-configure\">Privileged Identity Management<\/a>, deactivating your role assignment does not change the\u00a0<strong>Access management for Azure resources<\/strong>\u00a0toggle to\u00a0<strong>No<\/strong>. To maintain least privileged access, we recommend that you set this toggle to\u00a0<strong>No<\/strong>\u00a0before you deactivate your role assignment.<\/li><li>Click\u00a0<strong>Save<\/strong>\u00a0to save your setting.This setting is not a global property and applies only to the currently signed in user. You can&#8217;t elevate access for all members of the Global Administrator role.<\/li><li>Sign out and sign back in to refresh your access.You should now have access to all subscriptions and management groups in your directory. When you view the Access control (IAM) pane, you&#8217;ll notice that you have been assigned the User Access Administrator role at root scope.<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/elevate-access-global-admin\/iam-root.png\" alt=\"Subscription role assignments with root scope - screenshot\"><\/li><li>Make the changes you need to make at elevated access.For information about assigning roles, see\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/role-assignments-portal\">Assign Azure roles using the Azure portal<\/a>. If you are using Privileged Identity Management, see\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/privileged-identity-management\/pim-resource-roles-discover-resources\">Discover Azure resources to manage<\/a>\u00a0or\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/privileged-identity-management\/pim-resource-roles-assign-roles\">Assign Azure resource roles<\/a>.<\/li><li>Perform the steps in the following section to remove your elevated access.<\/li><\/ol>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin#remove-elevated-access\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"remove-elevated-access\">Remove elevated access<\/h3>\n\n\n\n<p>To remove the User Access Administrator role assignment at root scope (<code>\/<\/code>), follow these steps.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in as the same user that was used to elevate access.<\/li><li>In the navigation list, click\u00a0<strong>Microsoft Entra ID<\/strong>\u00a0and then click\u00a0<strong>Properties<\/strong>.<\/li><li>Set the\u00a0<strong>Access management for Azure resources<\/strong>\u00a0toggle back to\u00a0<strong>No<\/strong>. Since this is a per-user setting, you must be signed in as the same user as was used to elevate access.If you try to remove the User Access Administrator role assignment on the Access control (IAM) pane, you&#8217;ll see the following message. To remove the role assignment, you must set the toggle back to\u00a0<strong>No<\/strong>\u00a0or use Azure PowerShell, Azure CLI, or the REST API.<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/elevate-access-global-admin\/iam-root-remove.png\" alt=\"Remove role assignments with root scope\"><\/li><li>Sign out as Global Administrator.If you are using Privileged Identity Management, deactivate your Global Administrator role assignment.\u00a0NoteIf you&#8217;re using\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/privileged-identity-management\/pim-configure\">Privileged Identity Management<\/a>, deactivating your role assignment does not change the\u00a0<strong>Access management for Azure resources<\/strong>\u00a0toggle to\u00a0<strong>No<\/strong>. To maintain least privileged access, we recommend that you set this toggle to\u00a0<strong>No<\/strong>\u00a0before you deactivate your role assignment.<\/li><\/ol>\n\n\n\n<p>Ref: <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/elevate-access-global-admin#remove-a-role-assignment-at-the-root-scope-\">Elevate access to manage all Azure subscriptions and management groups | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory. This article describes the ways that you can elevate your access to all subscriptions and management groups. &nbsp;Note For information about viewing or deleting personal data, see&nbsp;Azure Data Subject Requests for the GDPR. <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4977\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1249,10],"tags":[1733,1732],"class_list":["post-4977","post","type-post","status-publish","format-standard","hentry","category-azure-microsoft","category-microsoft","tag-elevate-access-to-manage-root-azure","tag-elevate-access-to-manage-root-permissions-on-azure-subscriptions"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4977"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4977\/revisions"}],"predecessor-version":[{"id":4978,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4977\/revisions\/4978"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}