1 minutes to read

The other day I received a security incident from a Azure subscription that I didn’t recognize. As we have a lot of MSDN subscriptions linked to our tenant I tought it would be plausible that the security incident was raised from one of these subscriptions. However, how do you get access to these MSDN subsciptions linked to your Azure Active Directory?

Although I am working with Azure governance (Management Grous, Policies etc.) for a while now I always thought that there where access levels on the tenant (Azure Active Directory) and Azure subscription, however the Management Groups is adding another ‘level’ of authorization.

Switch 'Elevated access with Management Groups & Azure Subscriptions' to "Yes"

After adding my user account to the Root Management group I was able to see all subscriptions that are linked to our tenant.

Elevate access and access the Root Management group

Login to the Azure portal as Global Administrator and browse to “Azure Active Directory” and click on “Properties”.

Switch 'Azure Active Directory Properties' to "Yes"

At the bottom, under ‘Access management for Azure resources’ set the switch to “Yes” and click on “Save” (on the top).

Switch 'Access management for Azure resources' to "Yes"

When you toggle to ‘Yes’ you are assigned the ‘User Access Administrator’ in Azure RBAC at the root scope. This grants you to see all the Azure subscriptions that are linked to your tenant. The ‘Access management for Azure resources’ option is only visible for users that are ‘Global Administrator’.

All you have to do now is sign out and sign back in to use your newly assigned rights.