Is it possible to give permissions to create Azure Resource Groups through AAD without RBAC?

1
votes

I understand you can assign 'Contributor' RBAC role on the Subscription level to give a user permission to create Resource Groups.

However, is there a way to give that permission through AAD (Administrator role assignment)? Or any other way?

I am currently not able to create resource groups, and need to ask to be given the permission. I am trying to understand what are the various ways that can be done. (especially because there are no RBAC roles at all on the subscription, except 'classic administrators' and yet I see some resource groups have been created and owned by non-classic administrators)

3
azureazure-active-directoryazure-resource-groupazure-authenticationazure-rbac
AFAIK, the Contributor role also could be assigned by the classic administrator (e.g. co-administrator), so just let him assign the role for you, no need to use AAD.Joy Wang-MSFT
yes, thats what I will most probably do. But trying to understand if it can be done through AAD as well, and if so is it a better approach, and how?Gadam
The end of every way needs you to become the rbac role or classic admin. In AAD, it just gives you permission to do that(e.g. manage the subscription), but the goal of getting the permission is to assign the role.Joy Wang-MSFT
wish i could also mark your comment as an answer, makes so much sense :)Gadam
I add an answer for other community members to refer.Joy Wang-MSFT

3 Answers

1
votes

Only other way to do it - assign user a global administrator, after that, that user can grant himself full permissions to everything inside the tenant.

Its under Azure AD blade >> properties >> Access management for Azure resources

1
votes

AFAIK, the Contributor role also could be assigned by the classic administrator (e.g. co-administrator), so just let him assign the role for you, no need to use AAD.

yes, thats what I will most probably do. But trying to understand if it can be done through AAD as well, and if so is it a better approach, and how?

The end of every way needs you to become the rbac role or classic admin. In AAD, it just gives you permission to do that(e.g. manage the subscription), but the goal of getting the permission is to assign the role.

0
votes

I understand you can assign 'Contributor' RBAC role on the Subscription level to give a user permission to create Resource Groups.

Your understanding is correct. To create a resource in the tenant, you need to assign the role on the subscription level (RBAC). But that's different with the role in AAD (Administrator role assignment).

For example, if you want to create a resource group, you need to assign the role to the user in the subscription.

enter image description here

But if you want to create a group in the AAD, you just need the role of the directory.

enter image description here

For the details about the RBAC, you could read here.