This month I thought I would touch on the subject of how to gain visibility of Azure subscriptions under a tenancy. This is a question which comes up often as partners normally have a Global Administrator account which gives them access to everything Microsoft 365 related however appears to not work as intended for the Azure side of the offering.

 

If we take a step back and look at Azure Active Directory there are two main components to it, identity, and permissions. While identity is shared across all Microsoft offerings, when thinking of permissions, this is where things get a little interesting, permissions aren’t necessarily shared across all services within Microsoft. The way I think of it is that permissions are Microsoft vertical related, Microsoft 365 has its own set of permissions, Azure has its own, and other services their own. While all these verticals may have similar concepts of permissions (they all have a concept of a Global Administrator for example) they are potentially named and administered separately. This is why if you have a Global Administrator account under Microsoft 365 it may not give you administration of an Azure environment under the same tenancy by default.

 

Microsoft does provide a way for a Global Administrator from the Microsoft 365 side of things to gain visibility and administration of Azure subscriptions by way of elevating your login to have User Access Administrator permissions.

 

To set the groundwork on what elevating your login does in this situation, we need to understand how Azure subscriptions are structured. For most an Azure subscription sits under the tenancy and can be thought of like an Microsoft 365 license in that sense, from that Azure subscription you then deploy and build your solution sitting under it and billing rolls up into that Azure subscription and through the associated payment method. This isn’t necessarily incorrect however there is an additional item which comes into play called scopes.

 

Scopes can mean different things in different places within Azure, but in this context there is a root scope which all Azure subscriptions sit under and this is what elevating your login applies to. If you were to think of this in a hierarchy, you would have the Tenant > Root Scope > Management Group(s) > Azure Subscription(s). When elevating your login, effectively you will be associated at the root scope level which is then inherited by all Azure subscriptions below it at which point you can then associate any identities from Azure Active Directory with the permissions you require.

 

Elevating your login as mentioned requires you to be logged in as a Global Administrator under the tenancy and going to Azure Active Directory and then under the Manage section go to the Properties page. At the bottom of the page you will be presented with the below option (normally set to No), this effectively associates your Global Administrator login with User Access Administrator rights at the root scope level.

 

19

Once you click Yes, and then hit Save, you will need to log out and back in for the permissions to take effect. You can then go into the Azure Portal and click on the gear icon in the top right which will then present you with a page which has an area in the middle called Default Subscription Filter. From here you will see every subscription that is associated under the tenancy, click All Subscriptions. In the search box at the top of the page type in Subscriptions and click on the first item with a key icon, and this will take you to the Subscriptions page which should list all available subscriptions associated to the tenancy (if you did not click All Subscriptions in the previous step you may only see a subset of subscriptions on this page).

 

While you have visibility of the subscriptions because of the User Access Administrator rights being applied at the root scope level, this does not allow you to modify anything resource wise. Instead, if you would like to have additional rights you will need to add the appropriate permissions to any identities by clicking on each subscription listed, clicking on Access Control (IAM) in the menu, and adding associated permissions based on the best practice of least privileges required for their roles.

 

Once you have the right privileges setup, I would recommend turning off the elevated access by reversing the steps mentioned at the beginning by going back into Azure Active Directory, under the Manage section click on Properties and at the bottom of the page change the toggle to No and hit Save, this will remove your root scope permissions (there are some situations where this may not be the case, please check documentation linked below for details).

 

To confirm permissions have been removed, go back into the Subscription page and click on the subscriptions and the Access Control section, then click on the Role Assignments tab and you shouldn’t see yourself listed under the User Access Administrator section.

 

While the above is meant to provide you some insight into how to gain access to Azure subscriptions under a tenancy, I would highly recommend having a read of the full documentation on the process as it can give you some further insights into the structure and process.

 

https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin