Unable to run "az deployment mg create" on Tenant Root Group

Question

Trying to deploy a management group structure via Bicep starting 1 level down from "Tenant Root Group". CLI command az deployment mg create needs to target the Tenant Root Group (which has the same ID as the Tenant ID as per https://learn.microsoft.com/en-au/azure/governance/management-groups/overview#root-management-group-for-each-directory)

However keep getting the error below (CLI: *az deployment mg create -m

Answer 1

@Jose-Paolo Roldan The principal deploying the template must have permissions to create resources at the tenant scope. The principal must have permission to execute the deployment actions (Microsoft.Resources/deployments/*) and to create the resources defined in the template. For example, to create a management group, the principal must have Contributor permission at the tenant scope. To create role assignments, the principal must have Owner permission.

The Global Administrator for the Microsoft Entra ID doesn't automatically have permission to assign roles. To enable template deployments at the tenant scope, the Global Administrator must do the following steps:

1. Elevate account access so the Global Administrator can assign roles. For more information, see Elevate access to manage all Azure subscriptions and management groups. (Seems you have already done this).
2. Kindly assign Owner or Contributor to the principal that needs to deploy the templates.

      az role assignment create --assignee "[userId]" --scope "/" --role "Owner"
      
   

The principal now has the required permissions to deploy the template.