Elevate access for Azure AD Global Admin to manage all Azure subscriptions

Another useful, but little-known, Azure feature..

Normally, Azure and Azure Active Directory (AAD) roles are entirely independent of each other. Azure AD built-in roles are usually used in AAD itself and in Office 365; however you can be the Global Admin in an AAD tenant, and have zero rights in the Azure subscriptions associated with that Azure AD tenant, and vice versa. Using the Role Based Access Control (RBAC) functionality in Azure, you can manually assign RBAC roles (e.g. Owner or Contributor on an Azure Subscription or Resource Group) to Azure AD users or groups, but the Azure AD roles are never automatically inherited in Azure hierarchy.

Azure AD now has a feature that automatically adds a member of the Global Admins from an Azure AD tenant to the User Access Administrator role in the root (/) of the Azure structure in that directory. This allows the designated administrator to assign new RBAC roles in any Azure subscription or management group managed by that Azure AD tenant.
This feature can be enabled from the properties of an Azure AD tenant, when logged on as a member of Global Admins.

Once this feature has been enabled, you will see a result similar to the screenshot below.

This feature resembles the “Take Ownership” permission in AD Domain Services or an NTFS drive. Like “Take Ownership”, this feature gives the Azure AD admin a “back door” to get back into an Azure subscription where access has been lost. This will probably be needed because someone did something stupid; e.g. the Owner role in the Azure subscription was assigned to a user or group that was deleted. Of course this feature could be misused, intentionally or accidentally, to give an Azure AD administrator access to Azure resources they shouldn’t be able to access. The remedy is like all other risks linked to dangerous things admins can do: Have as few Global Admins as possible; only place very responsible people into that very powerful role; and monitor what they do like a paranoid person. Smiley

For more information, see this article: https://docs.microsoft.com/en-gb/azure/role-based-access-control/elevate-access-global-admin

Like this article?

Share on Facebook
Share on Twitter
Share on Linkedin
Share on WhatsApp
Share on E-mail