You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1. You need to ensure that User1 can assign a policy to the tenant root management group. What should you do?
Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
Create a new management group and delegate User1 as the owner of the new management group.
The following chart shows the list of roles and the supported actions on management groups.
Note: Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group. Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.