Unable to assign RBAC role to the root management group

Hi,

If you try to assign an RBAC role to the root management group, you may encounter the following error, even if you are the Azure Account Owner, the Global Administrator…

New-AzureRmRoleAssignment -SignInName user@domain.io -RoleDefinitionName "Reader" -Scope /providers/Microsoft.Management/managementGroups/root
 

New-AzureRmRoleAssignment : The client ‘xxxx@domain.io’ with object id ’46f38ab7-404e-4a36-906f-3a19299cf41c’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/providers/Microsoft.Management/managementGroups/root/providers/Microsoft.Authorization/roleAssignments/e3a41417-f5b5-4476-8171-14866f42481f’.
At line:1 char:1

New-AzureRmRoleAssignment -SignInName
user@domain.io -RoleDef …

~~~~~~~~~~~~~~~~~

CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException

FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

Solution

You need to Elevate access for the Global Admin in order to control the root management group.

Do this: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

Move an AzureDevOps resource to a diffrent resource group

Hi,

I have been asked to move an Azure DevOps organization resource from the original resource group (that by default takes the name of VS-{Orgnization Name}-Group to a new resource group. So the following are the needed permissions that you will require:

• You need to be the Organization Owner of the Azure DevOps organization

• You need the Write access to the target resource group. The Contributor role is the easiest role that provides this permission
• You need to be a Contributor of the Subscription. This is the error you will have if not: “User is not a subscription administrator or co-administrator of the Azure subscription.”

Once this done, you can move the to the new resource group, and then release the permissions.