Login/Register
Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
Asked Answered
Solved azureazure-devopsazure-active-directoryazure-web-roles
T

3

9

I activated my global admin role in Privileged Identity Management like so enter image description here

When I navigate to the Access Control blade under a subscription, I see the Add role assignment options disabled.

enter image description here

Doesn't global admin has global rights and can do this?

Thanks

Truscott answered 2/6, 2021 at 10:52 Comment(0)
A
7

Doesn't global admin has global rights and can do this?

No. You're global admin in your Azure AD so you can perform all operations in Azure AD. Azure AD roles are different than Azure Subscription roles.

To be able to perform IAM related activities in an Azure Subscription, you must be assigned an Owner or User Access Administrator role in that Azure Subscription.

Considering you're the global admin in your Azure AD, you can elevate your permissions to perform IAM activities in Azure Subscription. Please see this link for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin.

Other option would be to ask someone in your team with proper access in the Azure Subscription to assign you in Owner or User Access Administrator role.

Ask answered 2/6, 2021 at 11:21 Comment(1)
Same issue for me, but following that above guide (ms docs weblink) doesnt allow me to elevate myself as the azure account owner. Under Access management for Azure resources, the toggle buton is greyed out.Ephemerid
T
5

Azure roles happen to be different than Azure AD roles. enter image description here enter image description here

By default AD roles manage AD and azure roles manage azure resources. However there are some cross roles which can access resources across when needed. more information here

enter image description here

Since Global Administrator is a cross-service role, he can elevate himself by granting himself the user access administrator role as here. Then I was able to see the disabled options, enabled.

more information

Truscott answered 2/6, 2021 at 11:35 Comment(1)
another thing I learnt today is that an organization can configure additional policies to disable that option under AAD-properties. learn.microsoft.com/en-us/azure/active-directory/fundamentals/…Truscott
S
0

Go to Azure Portal

Log in to the Azure portal. Navigate to Entra ID (Azure AD)

From the left-hand menu, select "Entra ID" (formerly known as Azure Active Directory). Go to Properties

In the Entra ID (Azure AD) overview, scroll down in the left-hand menu and click on "Properties". Enable the Toggle

In the Properties blade, look for the "Access management for Azure resources" toggle. Turn it On: Switch the toggle to "On" to enable access management for Azure resources. Save Changes

After enabling the toggle, make sure to click "Save" to apply the changes. Once this toggle is enabled, you'll be able to manage permissions across Azure resources, and the "Add role assignment" feature should now be accessible where you need it.

Statute answered 15/8, 2024 at 19:50 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.