How to Elevate Global Admin Access in Microsoft Entra ID to Manage All Azure Subscriptions

In Microsoft Entra ID , being a Global Administrator doesn't automatically grant you access to Azure subscriptions or management groups within the tenant. Azure resources are secured independently from Microsoft Entra ID,meaning Entra roles and Azure roles are separate.

However, there are scenarios where a Global Administrator might need elevated access to Azure resources, such as:

• Regaining access to a subscription or management group
• Granting access to yourself or another user for specific Business requirements 
• Viewing all Azure subscriptions or management groups in the tenant

Microsoft offers a simple yet powerful capability: Elevating access to assign yourself the "User Access Administrator" role at the root scope ("/") ,granting visibility and management rights across all subscriptions and management groups in your Azure tenant. 

Why Elevation is Required

Microsoft Entra ID and Azure Resource Manager (ARM) have separate authorization models:

• Entra roles (like Global Admin) do not grant Azure RBAC permissions.
• Azure RBAC roles (like Owner or Contributor) do not impact Entra ID settings.

To bridge this gap for exceptional access requirements, Global Admins can elevate their access temporarily.

Step-by-Step: Elevate Global Administrator Access

Step 1: Enable Access Management for Azure Resources

Sign in to the Azure portal using a Global Administrator account.
If using Microsoft Entra Privileged Identity Management (PIM), activate your Global Admin role.
Navigate to: Microsoft Entra ID > Overview > Properties (Same Navigation for both Azure and Entra ID Portals)

 

Azure Subscription IAM status before elevation: No access for account John

Locate "Access management for Azure resources" and toggle the switch to "Yes".

Click Save.

Note: This action assigns you the User Access Administrator role at the root ("/") scope in Azure RBAC, allowing you to manage access across all subscriptions and management groups.

Sign out and sign back in to refresh your access.

Once complete, you'll have full visibility and access permissions via Azure's Access Control (IAM) blade.

With the User Access Administrator role assigned, you won't be able to create resources in the subscription directly. However, you can assign yourself or other users to roles such as Owner, Contributor, or any other Azure roles within that subscription or any other subscription in the same Azure tenant.

Since this role is assigned at the root scope in Azure RBAC, the permission elevation applies across all Azure subscriptions within the tenant.

Step 2: Revert Elevated Access (Recommended)

To maintain least privilege principles, remove elevated access when no longer needed.

Sign in as the same user who elevated the access. Go to: Microsoft Entra ID > Overview > Properties

Toggle "Access management for Azure resources" back to "No".

Click Save.

Note: If you're using PIM, deactivating your Global Admin role does not reset the toggle. Always revert the toggle manually to remove elevated Azure RBAC access.

After setting the "Access management for Azure resources" toggle back to "No", the User Access Administrator role assignment will be removed from all subscriptions.

When you check your access afterward, you’ll observe the following behavior, as shown in the screenshot below.

View or Remove Users with Elevated Access

Option 1: From Entra ID Properties

Sign in as Global Administrator.

Navigate to: Microsoft Entra ID > Properties

If users have elevated access, a banner appears:

"You have X users with elevated access..."

Click "Manage elevated access users" to view or remove elevated users.

Important: To remove these role assignments, you must also have elevated access.

Option 2: From Azure Subscriptions

Navigate to any subscription and open: Access control (IAM)

Look for a banner: "X users have elevated access..."Click "View role assignments" to take action.

Important: To remove these role assignments, you must also have elevated access.

Option 3: Using PowerShell

After elevating access, you can use PowerShell to manage User Access Administrator role assignments at the root scope (/).

To list the role assignment for a specific user:

Get-AzRoleAssignment | Where-Object {

    $_.RoleDefinitionName -eq "User Access Administrator" -and

    $_.SignInName -eq "<username@example.com>" -and

    $_.Scope -eq "/"

}

To remove the User Access Administrator role assignment at root scope:

Sign in as a user who has permission to remove elevated access. This could be the same user who performed the elevation or another Global Administrator with elevated access at root scope.

Run the following command:

Remove-AzRoleAssignment -SignInName <username@example.com> -RoleDefinitionName "User Access Administrator" -Scope "/"

Note: The same operation can also be performed using Azure CLI or REST API commands.

Audit Elevated Access Activities

Every elevation or removal of access is logged in both:

• Microsoft Entra ID Audit Logs
• Azure Activity Logs

To monitor:

Go to: Microsoft Entra ID > Monitoring > Audit Logs Set Service filter to:

Azure RBAC (Elevated Access)

Review logs or download in JSON\CSV format. Also you can integrate Entra ID Logs with SIEM tools like Microsoft Sentinel for advanced monitoring scenarios.

To access logs from Azure Activity Logs:

Go to the Azure Portal. Navigate to Azure Monitor. Select Directory Activity.
Look for Role Assignment operations to review changes related to access control.

Key Recommendations

• Use elevated access only when necessary and remove it promptly after tasks are completed.
• Monitor audit logs regularly to track elevated access activities.
• Train and alert administrators on best practices for role elevation and Azure RBAC boundaries.

✍️ Final Thoughts

The ability to elevate access gives Global Administrators a safety net for recovering or managing Azure access, but it must be used carefully and temporarily. With proper governance and visibility, organizations can maintain security while ensuring administrative efficiency.

Remember: With great power comes great responsibility. Elevate wisely!