Global Admin Guest from External Active Directory Can Not Create Azure Resources RRS feed

  • Question

  • Hi,

    What must I ask my client to do in his to allow me to create resources on his behalf. I am already global admin.

    I've spent a lot of time with tier one support trying to solve this problem. In order to escalate the situation I was asked to post here.

    I am asked to create a trial subscription when in my clients Azure directory. He has hired me to create resources. Why can't I. I am in his AD as a Global Admin roll, user type 'Guest' and source = 'External Active Directory'.

    My user is associated with BOTH a personal and business MS Live account. I've already asked the client to remove me and resend the invitation. I wanted to be sure I accepted with the business account. This proved successful as follows: When I loginto my business Azure portal, I now see the client directory. This was NOT the case before.

    Thank you


    Friday, January 10, 2020 7:12 PM

All replies

  • Hello John,

    To create resources within a subscription, you need to be an Account Admin, Owner or a contributor at the subscription scope. However, Global admin is a privileged admin at the directory level not at the subscription scope.

    An account admin is by default an owner of the subscription and is a global admin of the directory. 

    In your case, you've been invited to a different directory as a guest user who can perform tasks only at the directory scope but doesn't have access to the subscription. You may want to ask your admin to grant you access to the subscription to create resources and also have permissions to manage directory.

    For your reference:

    What is Azure Active Directory:


    The relationship between Azure AD and subscriptions:

    If this answer was helpful, click “Mark as Answer” and Up-Vote. Feel free to reach out to us if you've any further questions in this matter. 


    Thursday, January 30, 2020 11:48 AM
  • Azure AD permissions/roles and Azure subscription permission/roles are separate. 

    As Sadiqh has pointed out, you would need to grant the guest account representing the Global Admin in a different Azure AD tenant permissions to your subscription via RBAC


    Thursday, January 30, 2020 2:12 PM