I'm building an Azure Management Group structure where I'm having issues with the add subscription option to a sub-management group where the option is grayed out when Owner role is assigned via and AAD Security group. So in short, does Azure Management groups support permission management via AAD Security groups?
Some details:
- I'm global admin
- On the management group I have assigned an Azure AD (AAD) Security Group the role Owner of which my account is member of. The security group has the option "Azure AD roles can be assigned to the group" set.
I have played around and also assigned my AAD security group the role "Management Group Contributor" without success. I have also added the group on root level so its inerited. If I instead assign my account directly the Owner role on the management group then it works and I can add subscriptions.
I have checked the documentation available and cannot find anything about security groups not being supported.
Screenshots:
Application Management Group access (access is inherited)
Issue - cannot add subscription, rename etc. despite Owner role
On the tenant root group I can add subscriptions etc. but not on child management groups.
