Forum Discussion
Azure Active Directory Functions Vs Azure Functions (RBAC)
Hi, fotine
Azure AD (AAD) Global Administrators by default do not have privileges over Azure resources. Their role scope is only the AAD itself. However, a Global Administrator can elevate her/himself and become User Access Administrator at the Azure root Management Group - with this privilege, this user can then added her/himself other Azure roles, such as Owner, at any Azure scope. More details here. As you see, AAD Global Admin is the most powerful role in Azure and at least these identities should be very well protected (strong password, MFA, etc.). Answering your question: an AAD Global Administrator can't by default create Azure Resource Groups but has the means to do so by elevating access.
Azure Owners (or other Azure roles) have privileges over the Azure scope only (management groups, subscriptions, resource groups, or resources). Their privileges are inherited down the hierarchy. Therefore, a Management Group Owner has privileges down to all the MGs, subscriptions, resource groups, etc. in the MG hierarchy. Having said that, an Azure Owner does not have privileges over Azure AD, unless this user is also granted an AAD privilege (Global Admin, User Admin, etc.).
MicrosoftHi, fotine
Azure AD (AAD) Global Administrators by default do not have privileges over Azure resources. Their role scope is only the AAD itself. However, a Global Administrator can elevate her/himself and become User Access Administrator at the Azure root Management Group - with this privilege, this user can then added her/himself other Azure roles, such as Owner, at any Azure scope. More details here. As you see, AAD Global Admin is the most powerful role in Azure and at least these identities should be very well protected (strong password, MFA, etc.). Answering your question: an AAD Global Administrator can't by default create Azure Resource Groups but has the means to do so by elevating access.
Azure Owners (or other Azure roles) have privileges over the Azure scope only (management groups, subscriptions, resource groups, or resources). Their privileges are inherited down the hierarchy. Therefore, a Management Group Owner has privileges down to all the MGs, subscriptions, resource groups, etc. in the MG hierarchy. Having said that, an Azure Owner does not have privileges over Azure AD, unless this user is also granted an AAD privilege (Global Admin, User Admin, etc.).