Description


After purchasing an Azure subscription, even as a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory. This article describes the ways that you can elevate your access to all subscriptions and management groups. It will help to

  • Regain access to an Azure subscription or management group when a user has lost access
  • Grant another user or yourself access to an Azure subscription or management group
  • See all Azure subscriptions or management groups in an organization
  • Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups


Microsoft Entra ID and Azure resources are secured independently from one another. That is, Microsoft Entra role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Microsoft Entra ID. However, if you are a Global Administrator in Microsoft Entra ID, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.

When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope (/). This allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.


Requirements

  • Global administrator access to the Microsoft 365 tenancy and Azure admin centre.

The Process


  • Sign in to the Azure portal as a Global Administrator.

  • Open Microsoft Entra ID.

    Under Manage, select Properties.
    Select Properties for Microsoft Entra properties - screenshot



  • Under Access management for Azure resources, set the toggle to Yes.
    Access management for Azure resources - screenshot
     

  • When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Microsoft Entra directory. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID.
    When you set the toggle to No, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Microsoft Entra directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.

    Click Save to save your setting.
    This setting is not a global property and applies only to the currently signed in user. You can't elevate access for all members of the Global Administrator role.

    Sign out and sign back in to refresh your access.
    You should now have access to all subscriptions and management groups in your directory. When you view the Access control (IAM) pane, you'll notice that you have been assigned the User Access Administrator role at root scope.
    Subscription role assignments with root scope - screenshot