Manage an Azure subscription using the permission and by assigning the role to a user. The role must have the permission to execute the APIs for suspending and reactivating an Azure account.
Before you begin
Role required: Azure admin
Procedure
-
Sign in to the Azure organization.
-
Search and select Management groups.
-
Select Tenant Root Group.
-
Select .
-
Select Add and then select Add custom role.
-
In the Custom role name box, specify a name for the custom role.
The name must be unique for the Microsoft Entra directory.
-
Select Next.
-
On the Permissions tab, select Next.
-
On the Assignable scopes tab, you specify where your custom role is available for assignment, such as management group, subscriptions, or resource groups.
-
Select Add assignable scopes to open the Add assignable scopes pane.
-
On the JSON tab, paste the following code:
{
"properties": {
"roleName": "Policy Lock/Unlock Manager",
"description": "Allows locking and unlocking Azure Policy assignments at management group level",
"assignableScopes": [
"/providers/Microsoft.Management/managementGroups/<ManagementGroupId>”
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/policyAssignments/write",
"Microsoft.Authorization/policyAssignments/delete",
"Microsoft.Authorization/policyAssignments/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
-
Select Next and then select Create.
What to do next
You must assign the permission to a role. For more information, see https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal.
Configure a lock/unlock policy. For more information, see Set up suspension of a subscription using Azure policy.