Reputation: 1180
Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
I activated my global admin role in Privileged Identity Management like so
When I navigate to the Access Control blade under a subscription, I see the Add role assignment options disabled.
Doesn't global admin has global rights and can do this?
Thanks
Upvotes: 9
Views: 19357
Answers (3)
Reputation: 21
Go to Azure Portal
Log in to the Azure portal. Navigate to Entra ID (Azure AD)
From the left-hand menu, select "Entra ID" (formerly known as Azure Active Directory). Go to Properties
In the Entra ID (Azure AD) overview, scroll down in the left-hand menu and click on "Properties". Enable the Toggle
In the Properties blade, look for the "Access management for Azure resources" toggle. Turn it On: Switch the toggle to "On" to enable access management for Azure resources. Save Changes
After enabling the toggle, make sure to click "Save" to apply the changes. Once this toggle is enabled, you'll be able to manage permissions across Azure resources, and the "Add role assignment" feature should now be accessible where you need it.
Upvotes: 1
Reputation: 1180
Azure roles happen to be different than Azure AD roles.
By default AD roles manage AD and azure roles manage azure resources. However there are some cross roles which can access resources across when needed. more information here
Since Global Administrator is a cross-service role, he can elevate himself by granting himself the user access administrator role as here. Then I was able to see the disabled options, enabled.
Upvotes: 5
Reputation: 136346
Doesn't global admin has global rights and can do this?
No. You're global admin in your Azure AD so you can perform all operations in Azure AD. Azure AD roles are different than Azure Subscription roles.
To be able to perform IAM related activities in an Azure Subscription, you must be assigned an Owner or User Access Administrator role in that Azure Subscription.
Considering you're the global admin in your Azure AD, you can elevate your permissions to perform IAM activities in Azure Subscription. Please see this link for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin.
Other option would be to ask someone in your team with proper access in the Azure Subscription to assign you in Owner or User Access Administrator role.
Upvotes: 7
Related Questions
- Azure Account "Add Role Assignment" Disabled
- Collection admin role not found in IAM for Azure purview
- Unable to add Azure AD admin user to Enterprise Admins group
- Admin is denied to change teams rights
- Cannot assign an IAM role via PowerShell
- Not able to enable Diagnostics for web role using powershell
- AzureRM IAM Limited Access
- Unable to commit WebAdministration changes in Azure Web Role
- Role has encountered an error and has stopped
- Azure web role instance stopped