Forum Discussion

alwaysLearner's avatar
alwaysLearner
Iron Contributor
Dec 09, 2016

Understanding Azure Account, Subscription and Directory.

For the last couple of days, I am trying to understand the relationship between Azure account, Subscription, and Directory and Resource Groups.    Is there any comprehensive guide that can help me ...
azure
rocketman2200's avatar
rocketman2200
Copper Contributor
Oct 21, 2020

Stephane Budo One horrible discovery I've made recently is that the tenant Global Admin can be locked out of a Subscription that it created.  We have an AAD in a hybrid mode not that that it is germane to this conversation.  It turns out if the IAM Role on the Subscription is modified and the Global Admin is removed from the "Global Admin" Role you lose access to the Subscription.  This was maddening to discover and it undermines my trust in the entire architecture in Azure.

 

This is obscene that the highest level of authority over a tenant can be locked-out of any Subscription simply by removing the Role from their identity.  

Stephane Budo's avatar
Stephane Budo
Iron Contributor
Oct 21, 2020

Hi rocketman2200 ,

 

I believe you can overwrite this from the Azure Active Directory properties by enabling the "Global Admin have access to all subscriptions" setting.

 

Hope this helps,

Stephane

  • rocketman2200's avatar
    rocketman2200
    Copper Contributor
    Oct 22, 2020

    Stephane Budo 

    Thanks for your reply.

     

    However, the Global Admin account had also lost access to the AAD when this happened.  I would get an error page when attempting to access the AAD.

     

    Once again telling me that even a Global Admin does not have ubiquitous authority in all the environments.

Resources