From Entra Admin to Azure Powerhouse: Elevate Your Access the Smart Way

-

 




As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory. Below are methods to elevate access to all subscriptions and management groups.





WHY WOULD YOU NEED TO ELEVATE YOUR ACCESS? 

1. Global Administrators should consider the following scenarios for elevating access. 

2. Regain access to an Azure subscription or management group when a user has lost access. 

3. Grant another user or yourself access to an Azure subscription or management group.

 4. See all Azure subscriptions or management groups in an organization. 

5. Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups.



HOW DOES ELEVATED ACCESS WORK? 

Microsoft Entra ID roles and Azure roles are managed separately. A Global Administrator in Entra ID can temporarily elevate their access to assign themselves the "User Access Administrator" role in Azure at the root scope. This allows managing access to all Azure subscriptions and resources in the directory. Elevated access should be removed after completing necessary changes.




ELEVATE ACCESS FOR A GLOBAL ADMINISTRATOR

• Follow these steps to elevate access for a Global Administrator using the Azure portal. 

1. Sign in to the Azure portal or the Microsoft Entra admin center as a Global Administrator.

 2. Open Azure -> navigate to Entra ID.

 3. Under Manage, select Properties. 

4. Under Access management for Azure resources, set the toggle to Yes. 





ELEVATE ACCESS FOR A GLOBAL ADMINISTRATOR

The toggle allows Global Administrators in Microsoft Entra ID to assign themselves the "User Access Administrator" role at the Azure root scope. When set to Yes, it grants permission to manage roles across all Azure subscriptions and management groups in the directory. When set to No, the role is removed, restricting access to only the resources explicitly assigned to the user. 

5. Click Save to save your setting. This setting is not a global property and applies only to the currently signed in user. You can't elevate access for all members of the Global Administrator role. 

6. Sign out and sign back in to refresh your access. You should now have access to all subscriptions and management groups in your directory. When you view the Access control (IAM) pane, you'll notice that you have been assigned the User Access Administrator role at root scope. 


ELEVATE ACCESS FOR A GLOBAL ADMINISTRATOR



REMOVE ELEVATED ACCESS

Remove elevated access To remove the User Access Administrator role assignment at root scope (/), follow these steps. 

1.Sign in as the same user that was used to elevate access. 

2.In the navigation list, click Microsoft Entra ID and then click Properties.

 3.Set the Access management for Azure resources toggle back to No. Since this is a per-user setting, you must be signed in as the same user as was used to elevate access. If you try to remove the User Access Administrator role assignment on the Access control (IAM) pane, you'll see the following message. To remove the role assignment, you must set the toggle back to No or use Azure PowerShell, Azure CLI, or the REST API. 

4. Sign out as Global Administrator.






Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 IntuneWin – Deploying Win32 Apps via Intune 🎯

-
Bild
🔹 Benefits of IntuneWin: ✅ Seamless app packaging 📦 ✅ Automated deployment ⚙️ ✅ Centralized cloud management ☁️ ✅ Support for installation & uninstallation 🔄 The IntuneWin format is a method for preprocessing Windows Classic (Win32) applications. The tool transforms application installation files into the .intunewin format. Once you apply this tool to the app packaging folder, you can create an app enrollment configuration that enables advanced deployment features, such as OS version dependencies and uninstallation methods for remote application removal. Win32 apps in Intune size limit of 30 GB per app. To start the configuration 1- First you need to download the Microsoft Win32 Content Prep Tool :  Microsoft Win32 Content Prep Tool 2-  Unzip the tool to a folder, E, C , F etc drive (you can choose any folder you like). 3- Save your application  in the same folder as the Content Prep tools.  4- Now we will create the .intunewin package using PowerS...
Read more »

Block Personal devices to acces to Desktop apps like teams, Onedrive etc and how to troubleshooting the issue.

-
Bild
  You can use Conditional Access to block users based on location, IP address, and more, but now we will talk about blocking access for users who are using personal devices 1. Navigate to Entra ID -> Protection -> Conditional Access and create a new policy. 2- Create new policy 3-   Name your policy Assign your policy to a user/group or to all users. If you assign the policy to all users, be sure to exclude the break-glass account. It's essential to always have a break-glass account in place. In case of an error, you could accidentally lock out all users, so make sure these accounts remain unaffected. 4- In the Target resources select All resources (formerly 'All cloud apps') 5- In the conditions: Device platforms: select which devices you want the policy to apply to. In my case i will select windows and MacOS  Client apps: check all boxes except Browser, which will block everything except the browser. Here’s the magic: In the Filter for devices, you can ...
Read more »

🔧 Microsoft 365 Apps Admin Center: Tips & Tricks

-
Bild
  Microsoft 365 Apps Admin Center What is the M365 apps admin center? Deployment Configuration Profile is a configuration profile used to automate and manage how software, such as Microsoft 365 Apps (Office), should be deployed and configured on devices within an organization. This profile allows IT administrators to define exactly how the installation should proceed, which settings should apply, and which components should be included. Where are Deployment Configuration Profiles used? - Microsoft Intune: For cloud-based management of devices and software. - Office Deployment Tool (ODT): For local deployments of Office. - Group Policy: For traditional on-premises networks with Active Directory. I will configure it in the Intune environment To get started with the  Microsoft 365 Apps Admin Center ,  1-Sign in  https://config.office.com/  with you Intune admin account,  you should first go to  Settings  and activate or create a  custom profile ...
Read more »