If you try to assign an RBAC role to the root management group, you may encounter the following error, even if you are the Azure Account Owner, the Global Administrator…
New-AzureRmRoleAssignment -SignInName firstname.lastname@example.org -RoleDefinitionName "Reader" -Scope /providers/Microsoft.Management/managementGroups/root
New-AzureRmRoleAssignment : The client ‘email@example.com’ with object id ’46f38ab7-404e-4a36-906f-3a19299cf41c’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/providers/Microsoft.Management/managementGroups/root/providers/Microsoft.Authorization/roleAssignments/e3a41417-f5b5-4476-8171-14866f42481f’.
At line:1 char:1
firstname.lastname@example.org -RoleDef …
CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException
FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
You need to Elevate access for the Global Admin in order to control the root management group.