@gartdan Thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review.

@gartdan- Thanks for the idea and I will look into incorporating this into the doc on my next update.

Management Group requires you to have Global Administrator group in Azure AD directory to create and manage.

And if you would like to grant role definition to Management Group, you need Management Group Contributor role.

Hi @thuansoldier - You do not have to be a global administrator in the directory to create an manage management groups. The directory admin is the only user that can elevate themselves to gain access to the Root management group, which is not required. Users can start creating and managing different management groups and subscriptions never gaining access to the Root management group. The "Management Group Contributor" is a new role that has been created to scope users actions to the level of the management groups. This way a user can have access to manage the management group but not have edit rights on the resources through the inheritance.

A table about RBAC has been added to this article.

please-close

@gartdan We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

I'm having issues assigning a policy from terraform to a management group. I keep getting Code="AuthorizationFailed" Message="The client '' with object id '' does not have authorization to perform action 'Microsoft.Authorization/policyAssignments/write' over scope '/providers/Microsoft.Management/ManagementGroups/

I have assign Owner, Management Group Contributor and Global administrator and i still have the same error.

Any ideas?