Get Access to Azure Subscriptions as Global Administrator

0

You can follow the step-by-step instructions for a Global Administrator in Microsoft Entra ID (formerly Azure Active Directory) to elevate their access so they can manage all Azure subscriptions and management groups within their directory.

Understanding the Context:

By default, being a Global Administrator in Microsoft Entra ID does not automatically grant you access to Azure resources (like subscriptions, resource groups, or individual resources). Azure role-based access control (RBAC) for resources is managed separately. This procedure elevates the Global Administrator’s privileges temporarily or permanently to grant them the ability to assign roles within Azure subscriptions.

Steps to Enable Access Management for Azure Resources:

1. Log in to the Azure Portal:

Open your web browser and navigate to the https://portal.azure.com. Log in using your account that holds the Global Administrator role for the directory.

2. Navigate to Microsoft Entra ID:

In the Azure portal’s search bar at the top, type Entra ID (or `Azure Active Directory`) and select it from the results.

3. Access Tenant Properties:  In the left-hand navigation pane of the Microsoft Entra ID blade, scroll down and click on Properties.

4. Enable Access Management:  On the Properties page, scroll down to the section titled Access management for Azure resources.  You will see a toggle switch. By default, it is likely set to No.  Click the toggle switch to change it to Yes.

5. Save the Changes:  Click the Save button at the top of the Properties page

What Happens When You Enable This Setting?

 When you set “Access management for Azure resources” to Yes, your Global Administrator account (and all other Global Administrators in the tenant) are granted the User Access Administrator role in Azure RBAC at the root scope (`/`).  This role allows you to:  View all Azure subscriptions and management groups associated with the directory.  Assign Azure roles (like Owner, Contributor, Reader, or custom roles) to other users, groups, or service principals within any subscription or management group in the directory.

  Important: This does not automatically make you an Owner of all subscriptions. It specifically grants the permission to manage access for others (and yourself) across all subscriptions.

Next Steps (Using the Elevated Access):

1. Wait for Permissions to Propagate: It might take a few minutes for the elevated permissions to take effect.

2. Assign Specific Roles: Now that you have the User Access Administrator role at the root scope, you can navigate to any specific Subscription or Management Group within the Azure portal.

–  Go to the desired Subscription or Management Group.

  Click on Access control (IAM).  Click  + Add -\> Add role assignment.  Select the role you need (e.g., Owner, Contributor, Reader).

 Select the user (including yourself), group, or service principal you want to assign the role to.  Save the assignment.

Security Recommendation :The User Access Administrator role at the root scope is highly privileged. It’s recommended best practice to:

1. Elevate access only when needed to grant specific, persistent roles.

2. Once the necessary role assignments are completed, consider returning to Microsoft Entra ID -\> Properties -\> Access management for Azure resources and setting the toggle back to No.

3. Alternatively, use Azure AD Privileged Identity Management (PIM) to manage elevated access in a more controlled, time-bound, and audited manner. Following these steps will allow a Global Administrator to gain the necessary permissions to manage access across all Azure subscriptions within their directory.

Leave a Reply

Your email address will not be published. Required fields are marked *