AAD Tenant Root Group
Overview
Azure resources are organized in hierarchy. Your resources, resource groups, subscriptions, management groups, and tenant collectively make up your resource hierarchy.
By default everyone has permission to create management group,even though whoever creates the management group is assigned the owner of that management group, but it’s just an empty management group, does not necessarily mean that user can move any subscription under the management group, user will fail to move the subscription when missing the required permission on the subscription.
In corporate environment, as Azure subscription administrator, you wouldn’t want your user create management group randomly, so what’s the best practice?
RBAC Permission at Tenant Root Group
If you are Azure subscription admin, but you are not AAD global admin, make sure you ask your AAD global admin to grant your RBAC owner permission on the tenant root group.
AAD global admin first needs to elevate themselves, because by default, the AAD global admin does not have direct permission on Azure management group or subscription.
Follow this doc to elevate. https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
To confirm the elevate is complete, check from root group or any child hierarchy to see the “User Access Administrator” role is assigned to your global admin.
Once your global admin has the necessary permission on the tenant root, the global admin can grant the subscription admin the owner permission on the tenant root group.
Protect Your Management Group Hierarchy
‘Microsoft.Management/managementGroups/settings/write’ permission is required over scope ‘/providers/Microsoft.Management/managementGroups/<root group id>/settings/default’ to update manage group settings.
Since now subscription admin is the owner at tenant root level, the admin is able to update the setting and only allow user with following permission to create management group.
Microsoft.Management/managementGroups/write
Conclusion
In a highly regulated corporate environment, if you are not AAD global admin, but you are supposed to manage all management group and all subscriptions, you should ask you AAD global admin to grant your owner permission at tenant root group.
I also suggest that you protect your management group and stop the default behavior which everyone is entitled to create management group.
Last but not least AAD global admin should remove elevated access once done the required work.
Once toggle the setting back to no, the corresponding “User Access Administrator” role assignment is removed.
References
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
How to protect your resource hierarchy — Azure Governance — Azure governance | Microsoft Docs
