Increase access to manage all Azure management groups and subscriptions (2023)

Table of Contents
In this article Why should you increase your access? How does elevated access work? blue portal Elevate access to a global admin remove elevated access Azure-PowerShell List role assignment in root scope (/) remove elevated access CLI power Azure Elevate access to a global admin List role assignment in root scope (/) remove elevated access API-REST previous requirements Elevate access to a global admin List role assignments in root scope (/) List of deny mappings in the root area (/) remove elevated access View elevated access logs View elevated access logs through the Azure portal View elevated access logs using the Azure CLI Delegate access to a group to view elevated access logs using the Azure CLI Next Steps
  • Article
  • 11 minutes to read

As a global administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory. This article describes how to increase your access to all subscriptions and management groups.

Use

For information on viewing or deleting personal data, seeAzure data subject requests for GDPR. For more information on GDPR seeGDPR section in the Microsoft Trust Centerit's himGDPR section of the Service Trust portal.

Why should you increase your access?

If you are a global admin, there may be times when you want to do the following:

  • Regain access to an Azure subscription or management group when a user loses access
  • Gewähren Sie sich selbst oder einem anderen Benutzer Zugriff auf ein Azure-Abonnement oder eine Verwaltungsgruppe
  • View all management groups or Azure subscriptions in an organization
  • Allow an automation application (such as a billing or monitoring application) to access any Azure management group or subscription

How does elevated access work?

Azure AD and Azure resources are backed up independently. That is, Azure AD role assignments don't grant access to Azure resources and Azure role assignments don't grant access to Azure AD. However, if you aglobal adminIn Azure AD, access can be assigned to all management groups and Azure subscriptions in your directory. Use this feature when you don't have access to your Azure subscription resources, such as virtual machines or storage accounts, and want to use your global admin permission to access those resources.

If you upgrade your access, you will receive theuser access managerRole in Azure in the root scope (/). This allows you to view all resources and assign access to any subscription or management group in the directory. Administrator role assignments for user access can be removed using Azure PowerShell, Azure CLI, or REST API.

You must remove this elevated access after making the necessary changes to the root scope.

Increase access to manage all Azure management groups and subscriptions (1)

blue portal

Elevate access to a global admin

Follow these steps to increase access to a global admin from the Azure portal.

  1. login inblue portalor theAzure Active Directory Admin Centeras a global administrator.

    Se us Azure AD Privileged Identity Management,Activate your global admin role assignment.

  2. Open mindedAzure Active Directory.

  3. UnderTut, Selectcharacteristics.

    Increase access to manage all Azure management groups and subscriptions (2)

  4. UnderAccess management for Azure resources, switch toSim.

    Increase access to manage all Azure management groups and subscriptions (3)

    When you set the switch toSim, get the User Access Administrator role in Azure RBAC in the root (/) scope. This gives you permission to assign roles to all Azure subscriptions and management groups associated with this Azure AD directory. This option is only available for users who have been assigned the global administrator role in Azure AD.

    When you set the switch toNot, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles for all Azure subscriptions and management groups associated with this Azure AD directory. You can only view and manage Azure subscriptions and management groups to which you have been granted access.

    Use

    if you usePrivileged Identity Management, disabling your role assignment doesn't change theAccess management for Azure resourcesswitch toNot. To retain least privileged access, we recommend setting this option toNotbefore deactivating your role assignment.

  5. give clickSave on computerto save your settings.

    This setting is not a global property and only applies to the currently logged in user. You cannot increase access for all members of the global administrator role.

    See Also
    Troubleshoot hybrid non-Azure Active Directory ingress devices - Microsoft InsiderRemotely assist users authenticated by your organization.How to Raise the Functional Levels of Active Directory Domains and Forests - Windows ServerConfigure device proxy and Internet connection settings

  6. Log out and back in to refresh your access.

    You should now have access to all subscriptions and management groups in your directory. If you view the Access Control Panel (IAM), you will see that you have been assigned the User Access Administrator role at the root level.

    Increase access to manage all Azure management groups and subscriptions (4)

  7. Make the required changes to Elevated Access.

    For information about assigning roles, seeAssign Azure roles through the Azure portal. If you use Privileged Identity Management, seeDiscover Azure resources to manageÖAssign Azure resource roles.

  8. Follow the steps in the next section to remove your increased access.

remove elevated access

How to remove admin role assignment for user access in root scope (/), follow these steps.

  1. Sign in as the same user used to elevate access.

  2. Click in the navigation listAzure Active Directoryand then clickcharacteristics.

  3. ChooseAccess management for Azure resourcesswitch back toNot. Because this is a per-user configuration, you must log in as the same user that was used to elevate access.

    When you try to remove the user's role assignment for Access Administrator in Access Control Panel (IAM), the following message is displayed. To remove the role assignment, you must reconfigure the switchNoto Use o Azure PowerShell, a CLI for Azure or an API REST.

    Increase access to manage all Azure management groups and subscriptions (5)

  4. Log in as a global administrator.

    If you're using Privileged Identity Management, disable your global admin role assignment.

    Use

    if you usePrivileged Identity Management, disabling your role assignment doesn't change theAccess management for Azure resourcesswitch toNot. To retain least privileged access, we recommend setting this option toNotbefore deactivating your role assignment.

Azure-PowerShell

Use

We recommend that you use the Azure Az PowerShell module to interact with Azure. To lookInstall Azure PowerShellBegin. For information on migrating to the Az PowerShell module, seeMigrate Azure PowerShell from AzureRM to Az.

List role assignment in root scope (/)

To list the User Access Administrator role assignment for a user at root (/), not usefulGet-AzRoleAssignmentDomain.

Get-AsRoleAssignment | where {$_.RoleDefinitionName -eq "User Access Manager" ` -y $_.SignInName -eq "<username@example.com>" -y $_.Scope -eq "/"}
ROLEASSIGNmentId: /providers/microsoft.authorization/roleassignments/11111111111111111-111111111111111111scope:/displayName: userNameSigninName: userName@example.ComrolEdinitionName: AdministratRolEDefinitIdidIdidIdIdIdidIdInition@example.ChroledEfinitionName: AdministratrolEDefinitIdid: 2222-2222-222222222222ObjectType: UserCanDelegate: Falso

remove elevated access

To unassign user access admin roles for yourself or another user at root level (/), follow these steps.

  1. Sign in as a user who can remove elevated access. This can be the same user used to elevate access, or another global admin with elevated access at the root scope.

  2. Use oRemove-AzRoleAssignmentCommand to unassign administrator roles for user access.

    Remove-AzRoleAssignment -SignInName <username@example.com> ` -RoleDefinitionName "User Access Manager" -Scope "/"

CLI power Azure

Elevate access to a global admin

Use the following basic steps to elevate access to a global admin using the Azure CLI.

  1. Use othe restcommand to callelevarAccessendpoint, giving it the role of user access manager in the root scope (/).

    See Also
    The COM Elevation Nickname: Win32 ApplicationsAzure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign-On - Azure - MicrosoftSlmgr.vbs options for getting volume activation informationTroubleshoot authentication errors when using RDP to connect to Azure VM - Virtual Machines

    az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

  2. Make the required changes to Elevated Access.

    For information about assigning roles, seeAssign Azure roles using the Azure CLI.

  3. Follow the steps in a later section to remove your extended access.

List role assignment in root scope (/)

To list the User Access Administrator role assignment for a user at root (/), not usefulaz role assignment listDomain.

az role assignment list --role "admin user access" --scope "/"
[ { "canDelegate": null, "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111", "name": "11111111-1111-1111-1111-111111111111", " principalId": "22222222-2222-2222-2222-222222222222", "principalName": "username@example.com", "principalType": "Usuário", "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d -d35e-4fb5-a5c3-7773c20a72d9", "roleDefinitionName": "User Access Manager", "scope": "/", "type": "Microsoft.Authorization/roleAssignments" }]

remove elevated access

To unassign user access admin roles for yourself or another user at root level (/), follow these steps.

  1. Sign in as a user who can remove elevated access. This can be the same user used to elevate access, or another global admin with elevated access at the root scope.

  2. Use oRemove role assignmentCommand to unassign administrator roles for user access.

    Remove az role assignment --assignee username@example.com --role "User Access Admin" --scope "/"

API-REST

previous requirements

You must use the following versions:

  • 01.07.2015or later to list and remove role assignments
  • 01.07.2016or at the back for better access
  • 2018-07-01 forecastor later to list rejected assignments

For more information, seeAPI versions of the Azure RBAC REST APIs.

Elevate access to a global admin

Use the following basic steps to increase access to a global admin using the REST API.

  1. Call with RESTelevarAccess, giving him the Administrator role for user access in the root scope (/).

    POST https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01

  2. Make the required changes to Elevated Access.

    For information about assigning roles, seeAssign Azure roles using REST API.

  3. Follow the steps in a later section to remove your extended access.

List role assignments in root scope (/)

You can list all role assignments for a user in the root scope (/).

  • ConnectRole Assignments - Scope ListWhere from{objectIdOfUser}is the object ID of the user whose role assignments you want to retrieve.

    GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectIdOfUser}'

List of deny mappings in the root area (/)

You can list all denied roles for a user in the root scope (/).

  • Chame um GET denyAssignments onde{objectIdOfUser}is the object ID of the user whose deny assignments you want to retrieve.

    GET https://management.azure.com/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01&$filter=gdprExportPrincipalId+eq+'{objectIdOfUser}'

remove elevated access

when you callelevarAccess, create a role assignment for yourself. To revoke these permissions, you must remove the User Access Admin role assignment for yourself at root (/).

  1. ConnectFunction Definitions - GetWhere frompaper nameequals User Access Administrator to determine the User Access Administrator role name ID.

    GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01&$filter=roleName+eq+'User Access Manager'
    { "value": [ { "properties": { "roleName": "User Access Manager", "type": "BuiltInRole", "description": "Approve access rights or access to use Azure recursions" , " AssignableScopes": [ "/" ], "permissions": [ { "actions": [ "*/read", "Microsoft.Authorization/*", "Microsoft.Support/*" ], "notActions": [ ] } ]," createdOn": "0001-01-01T08:00:00.0000000Z", "updatedOn": "2016-05-31T23:14:04.6964687Z", "createdBy": null, "updatedBy": null } , " id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", "type": "Microsoft.Authorization/roleDefinitions", "name": "18d7d88d-d35e-4fb5-a5c3 -7773c20a72d9 " } ] , "next link": null}

    Salve o IDNameparameters, in this case18d7d88d-d35e-4fb5-a5c3-7773c20a72d9.

  2. You must also list the Directory Admin role assignment in the Directory pane. List all directory related mappings for thePrincipal IDby the directory administrator who placed the elevated access call. This lists all mappings in the dictionary for the object ID.

    GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+'{objectid}'

    Use

    A directory manager should not have too many assignments. If the query above returns too many associations, you can also query all associations at the directory scope level only, and then filter the results:GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=atScope()

  3. The above calls return a list of role assignments. Locate the role assignment where the scope resides"/"it's himfunction definition IDends with the ID of the function name you found in step 1 andPrincipal IDmatches the directory manager's object ID.

    Example role assignment:

    { "value": [ { "properties": { "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", "principalId": "{objectID}", "scope" : "/", "created on": "2016-08-17T19:21:16.3422480Z", "updated on": "2016-08-17T19:21:16.3422480Z", "created by": "22222222-2222 -2222- 2222-222222222222", "updated by": "22222222-2222-2222-2222-222222222222" }, "id": "/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111" , "type": "Microsoft.Authorization/roleAssignments", "name": "11111111-1111-1111-1111-111111111111" } ], "nextLink": null}

    Save the ID of the againNameParameters, in this case 11111111-1111-1111-1111-111111111111.

  4. Finally, use the role assignment ID to remove the role added byelevarAccess:

    REMOVER https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111?api-version=2022-04-01

View elevated access logs

When access is increased, an entry is added to the logs. As a global admin in Azure AD, you may want to review when and by whom access was elevated. Elevated log entries do not appear in standard activity logs, but appear in directory activity logs. This section describes different ways to view elevated access logs.

View elevated access logs through the Azure portal

  1. Follow the steps earlier in this article to increase your access.

  2. login inblue portalas a global administrator.

  3. Open mindedMonitor>activity log.

  4. change thatactivitysoon toDirectory activity.

  5. Look for the following operation which means the elevated access action.

    Assigns the user access manager role to the caller

    Increase access to manage all Azure management groups and subscriptions (6)

  6. Follow the steps earlier in this article to remove elevated access.

View elevated access logs using the Azure CLI

  1. Follow the steps earlier in this article to increase your access.

  2. Use oregister azCommand to login as global administrator.

  3. Use othe restCommand to make the following call where you need to filter on a date as shown with the sample timestamp and specify a filename to save the records as.

    HimURLcalls an API to get the records in Microsoft.Insights. The output is saved to your file.

    az rest --url "https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-10T20:00 :00Z'" > salida.txt

  4. Look in the output fileelevarAccess.

    The log looks like this, where you can see the timestamp of when the action took place and who called it.

    "submissionTimestamp": "2021-08-27T15:42:00.1527942Z", "subscriptionId": "", "tenantId": "33333333-3333-3333-3333-333333333333"},{ "authorization": { "action" : "Microsoft.Authorization/elevateAccess/action", "scope": "/providers/Microsoft.Authorization" }, "caller": "user@example.com", "category": { "localizedValue": "Administrative", "Wert": "Administrativ" },

  5. Follow the steps earlier in this article to remove elevated access.

Delegate access to a group to view elevated access logs using the Azure CLI

If you want to periodically get elevated access logs, you can delegate access to a group and use the Azure CLI.

  1. Open mindedAzure Active Directory>The group.

  2. Create a new security group and note the group's object ID.

  3. Follow the steps earlier in this article to increase your access.

  4. Use oregister azCommand to login as global administrator.

  5. Use oCreation of an az role assignmentCommand to assign theReaderRole for the group that can only read directory-level records located underMicrosoft/Insights.

    az Rollenzuweisung create --assignee "{groupId}" --role "Reader" --scope "/providers/Microsoft.Insights"

  6. Add a user who will read the logs to the group created above.

  7. Follow the steps earlier in this article to remove elevated access.

A group user can now regularly run thethe restCommand to display elevated access logs.

az rest --url "https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-10T20:00 :00Z'" > salida.txt

Next Steps

  • Understand the different roles.
  • Assign Azure roles using REST API
Top Articles
Latest Posts
Article information

Author: Barbera Armstrong

Last Updated: 04/17/2023

Views: 6268

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Barbera Armstrong

Birthday: 1992-09-12

Address: Suite 993 99852 Daugherty Causeway, Ritchiehaven, VT 49630

Phone: +5026838435397

Job: National Engineer

Hobby: Listening to music, Board games, Photography, Ice skating, LARPing, Kite flying, Rugby

Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.