4

Our subscription has 5 resource groups. Based on Microsoft documentation, the older "co-administrator" role is equivalent to the newer RBAC role of "Owner" when set at the subscription level.

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

The Service Administrator and the Co-Administrators have the equivalent access of users who have been assigned the Owner role (an Azure RBAC role) at the subscription scope.

I'm not seeing this behavior. When my account role is set to owner at the subscription level, I cannot see any resource groups. When I set that same account to co-administrator, I can see all 5 resource groups.

How can I use the newer RBAC roles to allow owners to see all resource groups within a subscription?

Geekn
  • 2,650
  • 5
  • 40
  • 80
  • UPDATE: If I give the account that is an owner of the subscription the "Global Administrator" directory role, it can see all resource groups, but I don't know why that is needed if the subscription Owner should have all rights within that subscription. – Geekn Oct 12 '18 at 20:39
  • Plz check if you have any specific role assignments on these resource groups that remove inherited ones.. – Rohit Saigal Oct 13 '18 at 04:20
  • We do not have any overrides. Without the Global Admin role, it can only see resource groups that it creates itself. – Geekn Oct 13 '18 at 14:41
  • Can you share a (redacted, where necessary) screenshot of the subscription's Access control (IAM) view, and a screenshot of the resource group's? And verify that the resource groups are, indeed, in the subscription in question? – Philippe Signoret Oct 14 '18 at 17:39

1 Answers1

0

You can use Azure AD PowerShell to create a user them grant the "Owner" role to the user. For more details, please refer to the document.

#create user
Connect-AzureAD
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "Wdsr199545!"
New-AzureADUser -DisplayName "test User" -PasswordProfile $PasswordProfile -UserPrincipalName "test@hanxia.onmicrosoft.com" -AccountEnabled $true -MailNickName "testuser"

#grant access 
Login-AzureRmAccount
$sub = Get-AzureRmSubscription
$scope = "/subscriptions/" + $sub.Id
New-AzureRmRoleAssignment -SignInName test@hanxia.onmicrosoft.com -Scope $scope -RoleDefinitionName Owner
Jim Xu
  • 21,610
  • 2
  • 19
  • 39