locked
Remove root permission RRS feed

  • Question

  • We want to remove a user from the IAM at the subscription level but his scope is 'root' inherited so it can't be removed.

    What is the root? We only have 1 subscription and the user role is 'user access administrator'.

    Friday, May 18, 2018 9:54 AM

All replies

  • Access that you grant at parent scopes is inherited at child scopes.

    For example:
    You assign the Reader role to an Azure AD group at the subscription scope. The members of that group can view every resource group and resource in the subscription.

    In this case, has the user in question been granted the "User Access Administrator" from a Group ?

    However, you can try this Powershell script to remove the role assignment from the user:

    Remove-AzureRmRoleAssignment -SignInName <username@example.com> `
      -RoleDefinitionName "User Access Administrator" -Scope "/"


    Friday, May 18, 2018 6:37 PM
  • @ashks2012, Checking into see if the previous response helped answer your question. Let us know if you need further assistance in this matter.

    Thursday, May 24, 2018 10:28 AM
  • I have the same problem.  I am the account owner, although I didn't originally set it up. ( I did a transfer of the account )

    I received an error in powershell that I didn't have the authorization to perform that command.

    Thanks,

    Rich

    Wednesday, May 30, 2018 3:54 AM
  • @Rich, you're getting that error "could be" due to permissions or could be a PowerShell issue as described here - https://github.com/Azure/azure-powershell/issues/3407

    Wednesday, May 30, 2018 5:53 AM
  • Thank you !  As I kept digging,  I found the solution to the original problem.

    It has to do with a Global Admin Elevating their Rights.

    I think this will solve the problem for @ashks2012 

    https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

    I did this, and the user disappeared from the Subscription RBAC Listings

    Rich

    my apologies,  but this is my first post, and I'm not verified so I couldn't post the link or properly @ashks2012  
    Wednesday, May 30, 2018 6:02 AM
  • @Rich, thanks for sharing the solution on this forum. Just wanted to confirm if my post was helpful in resolving your issue. If yes, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here 
    Wednesday, May 30, 2018 10:21 AM