question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked vipulsparsh-MSFT commented

Unable to perfrom read only command for Get-AzManagementGroup ?

How can I ensure that my Service account with the Global Reader roles, can perform the Get-AzManagementGroup ?


Error message:

'The client 'serviceaccount@domain.com' with object id '123-GUID-XXX' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management' or the scope is invalid.

azure-ad-connectazure-ad-domain-servicesazure-security-centerazure-ad-identity-governance
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@EnterpriseArchitect You would need the ManagementGroup Reader permission (Microsoft.Management/managementGroups/read)
To provide the same, go to your management group and select Access Control, then add the account with management Group Reader permission.

131425-image.png




Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.




image.png (56.3 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you @vipulsparsh-MSFT I am logged in as global administrator, however, I cannot see that IAM option?


131484-image.png


0 Votes 0 ·
image.png (33.4 KiB)

I've also followed the steps in: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

to enable the Access management for Azure resources:

131380-image.png



Even after logging out and log back in again, it does not show the IAM.

0 Votes 0 ·
image.png (30.2 KiB)

@vipulsparsh-MSFT may I know what's the Azure command for granting specific Azure AD account 'Microsoft.Management/register/action' role?

0 Votes 0 ·
vipulsparsh-MSFT avatar image vipulsparsh-MSFT EnterpriseArchitect ·

@EnterpriseArchitect You can check further on https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell it has some examples from which you can customized your own.

1 Vote 1 ·