-
Hi JackVeneno,
Thank you for your question.
To allow the user TD-Juan to assign an Azure policy to the root management group, TD-Juan must have the Microsoft Entra ID role of Global Administrator and enable access management for Azure resources.
The root management group is the highest level in Azure’s management hierarchy, and no user has access to it by default. Only Global Administrators can enable access management, which lets them manage all Azure subscriptions and management groups, including the root management group. Once access management is enabled, the Global Administrator can assign roles and policies at the root scope.
Assigning the Owner role alone, even with access management enabled, does not grant access to the root management group unless the user is a Global Administrator who has elevated their access. Creating a new management group and assigning Owner or Contributor roles does not provide permissions at the root level.
Therefore, the correct step is to assign TD-Juan the Global Administrator role in Microsoft Entra ID and enable access management for Azure resources.
Please let me know if you need further assistance.
Best,
Irene @ Tutorials Dojo
