We’ve recently had a client who was quite confused about what Global Admin rights actually provided for rights to their Azure account. They wanted a tech with Global Admin rights to add a ROLE ASSIGNMENT (i.e. give permission to access) an Azure File Share, but when they tried, they saw ADD ROLE ASSIGNMENT (link under ADD at the top of the page) was disabled and the ADD ROLE ASSIGNMENT button (at the bottom of the page) was grayed out.
Global Admin allows for full user and VM control, as well as the ability to add yourself to other roles… but Global Admin does not immediately provide access to all Azure Features. Fortunately, it is easy for Global Admin’s to expand their rights.
Access Control (IAM) activities in an Azure Subscription require you to be an Owner or User Access Administrator role in that Azure subscription. So Azure Global Admin’s have two easy options:
- Ask someone who is the OWNER or USER ACCESS ADMINISTRATOR to add them
- Become an Azure Subscription Administrator
The first option is pretty obvious so we will leave that one, but how to become a full Global Administrator is slightly more difficult.
How To Add an Azure Subscription Administrator
In our case, our client wanted their Global Administrator to be able to make permission changes to all of their Azure Storage accounts and all of their Azure File Shares. Here we show you how to elevate access to manage all Azure subscriptions and management groups.
- Sign into https://portal.azure.com
- Activate your Global Administrator via PIM
- Search for and click on MICROSOFT ENTRA ID (formerly Azure AD Active Directory)
- Click PROPERTIES, from the menu on the left
- Click the ACCESS MANAGEMENT FOR AZURE RESOURCES slider to YES
- Click SAVE button (bottom of the page
You have to wait about 2 minutes for this to fully take hold but after that you can simply refresh the page and you should then be able to access your and modify Access Management AIM in Azure File Shares or elsewhere, without problem.
1 Comment
SOLVED: How To Activate Global Administrator via Azure Privileged Identity Management (PIM) – Up & Running Technologies, Tech How To's · January 19, 2024 at 2:40 pm
[…] GLOBAL ADMINISTRATOR (or any other role you want), and click the ACTIVATE link in the ACTION […]