Most of the time, companies have more than 1 Azure Subscription, where the same level of access and governance conditions should be applied. Instead of settings those conditions for each subscription specific, they can organize their subscriptions in Management groups. In this way they can apply enterprise-grade management at a larger scale, which helps them bring more structure in their Azure environments, by efficiently managing access, policies and costs in an organizational or environment-based hierarchy.
What is the “Root” management group?
Each Azure Active Directory (Azure AD) directory has a top-level management group called the Root management group, which always has the default display name Tenant Root Group and an ID which is the same as the Azure Active Directory ID. All other management groups, subscriptions and all Azure resources are a part of this group. When you add (create) a new subscription, it will be automatically attached to this root management group. Unlike all other management groups, this group can not be moved or deleted.
No one has default access to change the default display name of the Root management group.
Only Azure AD Global Administrators can be elevated, and assigned the necessary User Access Administrator role at the root scope (/).
Next to that, to be able to rename the display name, the user should also have the Role-Based Access Control (RBAC) role of Owner, Contributor or Management Group Contributor, assigned for the root management group.
- Global Administrator role with elevated access to manage all Azure subscriptions and management groups.
- Owner, Contributor or Management Group Contributor role assigned on the root management group.
Change the display name of the Root management group
Logon to the Azure Portal with a user who is assigned the Global Administrator role in Azure AD.
Click on Azure Active Directory in the sidebar and when the Azure Active Directory blade opens, click on Properties.
Under Access management for Azure resources, set the toggle switch to Yes. Click Save to apply the change. This will only elevate the access of the signed in Global Administrator, not for all users who have the Global Administrator role.
You can also use Azure PowerShell to elevate access as an User Access Administrator role.
## Assign the User Access Administrator role on your Tenant Root Group New-AzRoleAssignment -SignInName "<your global admin account>" -Scope "/" -RoleDefinitionName "User Access Administrator"
Open Management groups from the sidebar and click on (details) next to the Tenant Root Group name.
Even if the Access level shows Owner, you should check if the user has the Owner, Contributor or Management Group Contributor role. Click on Access control (IAM) and then on Role assignments to validate, and assign one of the RBAC roles, if it is not the case.
If you do not have one of those RBAC roles assigned for the user, you will receive the following error when you want try to change the display name of the Tenant Root Group.
You can also use Azure PowerShell to set the Owner role on your Tenant Root Group.
## Assign the owner/contributor role on your Tenant Root Group New-AzRoleAssignment -SignInName <your global admin account> -Scope "/" -RoleDefinitionName "Owner"
If one of the required RBAC roles is assigned, click on Rename Group.
Under Management group display name, you can now change the name to your own preference. Click save the apply your new display name.
To change the display name of the Root management group, you need to use a user who is a Global Administrator and has elevated User Access Administrator rights. Next to that, this user should also have the Owner, Contributor or Management Group Contributor RBAC role assigned on the Root Management Group.
Pingback: Azure PowerShell script: Create a management group tree hierarchy – Wim Matthyssen
Pingback: Deploy Enterprise Scale Azure Management Groups using Terraform - Johan Vanneuville