1

I understand you can assign 'Contributor' RBAC role on the Subscription level to give a user permission to create Resource Groups.

However, is there a way to give that permission through AAD (Administrator role assignment)? Or any other way?

I am currently not able to create resource groups, and need to ask to be given the permission. I am trying to understand what are the various ways that can be done. (especially because there are no RBAC roles at all on the subscription, except 'classic administrators' and yet I see some resource groups have been created and owned by non-classic administrators)

Gadam
  • 2,674
  • 8
  • 37
  • 56
  • AFAIK, the Contributor role also could be assigned by the classic administrator (e.g. co-administrator), so just let him assign the role for you, no need to use AAD. – Joy Wang Feb 28 '19 at 07:45
  • yes, thats what I will most probably do. But trying to understand if it can be done through AAD as well, and if so is it a better approach, and how? – Gadam Feb 28 '19 at 17:43
  • 1
    The end of every way needs you to become the rbac role or classic admin. In AAD, it just gives you permission to do that(e.g. manage the subscription), but the goal of getting the permission is to assign the role. – Joy Wang Mar 01 '19 at 01:03
  • wish i could also mark your comment as an answer, makes so much sense :) – Gadam Mar 01 '19 at 05:50
  • 1
    I add an answer for other community members to refer. – Joy Wang Mar 01 '19 at 06:03

3 Answers3

1

Only other way to do it - assign user a global administrator, after that, that user can grant himself full permissions to everything inside the tenant.

Its under Azure AD blade >> properties >> Access management for Azure resources

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • So once I get Global Administrator privileges, I can assign myself as Contributor (or even Owner) of the subscription, and create Resource Groups -- is that the idea? – Gadam Feb 28 '19 at 17:35
  • 'everything inside the tenant' - i guess im a bit confused about how tenant and subscription(or any resource) are related. Tenant manges the identity of the resources(actually users and apps) but is not actually a container of resources AFAIK. So how does Global Administrator achieve what I am looking for ? – Gadam Feb 28 '19 at 17:38
  • subscriptions belongs to a tenant. global administrator of a tenant is effectively an owner of all of those and inherently resources inside them. – 4c74356b41 Feb 28 '19 at 17:39
1

AFAIK, the Contributor role also could be assigned by the classic administrator (e.g. co-administrator), so just let him assign the role for you, no need to use AAD.

yes, thats what I will most probably do. But trying to understand if it can be done through AAD as well, and if so is it a better approach, and how?

The end of every way needs you to become the rbac role or classic admin. In AAD, it just gives you permission to do that(e.g. manage the subscription), but the goal of getting the permission is to assign the role.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
0

I understand you can assign 'Contributor' RBAC role on the Subscription level to give a user permission to create Resource Groups.

Your understanding is correct. To create a resource in the tenant, you need to assign the role on the subscription level (RBAC). But that's different with the role in AAD (Administrator role assignment).

For example, if you want to create a resource group, you need to assign the role to the user in the subscription.

enter image description here

But if you want to create a group in the AAD, you just need the role of the directory.

enter image description here

For the details about the RBAC, you could read here.

SunnySun
  • 1,900
  • 1
  • 6
  • 8