I activated my global admin role in Privileged Identity Management like so
When I navigate to the Access Control blade under a subscription, I see the Add role assignment options disabled.
Doesn't global admin has global rights and can do this?
Thanks
Doesn't global admin has global rights and can do this?
No. You're global admin in your Azure AD so you can perform all operations in Azure AD. Azure AD roles are different than Azure Subscription roles.
To be able to perform IAM related activities in an Azure Subscription, you must be assigned an Owner or User Access Administrator role in that Azure Subscription.
Considering you're the global admin in your Azure AD, you can elevate your permissions to perform IAM activities in Azure Subscription. Please see this link for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin.
Other option would be to ask someone in your team with proper access in the Azure Subscription to assign you in Owner or User Access Administrator role.
Azure roles happen to be different than Azure AD roles.
By default AD roles manage AD and azure roles manage azure resources. However there are some cross roles which can access resources across when needed. more information here
Since Global Administrator is a cross-service role, he can elevate himself by granting himself the user access administrator role as here. Then I was able to see the disabled options, enabled.