Elevating Access for Global Administrators in Azure

Why Elevate Access?

Global Administrators in Microsoft Entra ID may need to elevate access to:

• Regain or grant access to Azure subscriptions or management groups.

• View all Azure subscriptions or management groups in the organization.

• Enable automation apps to access all Azure subscriptions or management groups.

How Elevated Access Works

• Microsoft Entra ID and Azure resources have independent security models.

• Global Administrators do not automatically have access to Azure subscriptions.

• Elevating access assigns the User Access Administrator role at the root scope (/), allowing management of all subscriptions and management groups.

• This role should be removed after necessary changes are made.

Steps to Elevate Access

1. Sign in to the Azure portal as a Global Administrator.

2. Go to Microsoft Entra ID > Properties.

3. Enable Access management for Azure resources by setting the toggle to Yes.

4. Click Save, then sign out and sign back in.

5. You now have User Access Administrator permissions at the root scope.

Removing Elevated Access

1. Sign in as the same user who elevated access.

2. Navigate to Microsoft Entra ID > Properties.

3. Set the Access management for Azure resources toggle to No.

4. Sign out as Global Administrator.

This setting is user-specific and does not apply to all Global Administrators.