First off, I’m relatively new to Azure but have been a network admin (lots of Windows) for over 20 years and I think I have a reasonably firm grasp on general systems architecture. That said, I think I’m missing something simple and am tired of banging my head against it.
- I’m trying to share a test Subscription (default “Pay-as-you-go”) with other staff who need administrator privileges for those resources.
- I’ve created a security group (“DevOps”, not Azure DevOps, just a label), and added the staff accounts to it from Azure AD as Owners.
- The Subscription belongs to the appropriate Org directory (same directory context as users and portal).
- I used IAM to add the DevOps security group to the Subscription, and when I then browse child resources within the Subscription, all show they are inheriting proper IAM permissions (DevOps security group) from the Pay-as-you-go Subscription, as expected.
Yet none of the users from the DevOps security group are able to see the Subscription or any of its resources, which are currently just a VM and Key Vault for testing. Users are logging into the portal with the correct org credentials, and are showing as being connected/viewing the proper org directory.
Please let me know what I’m missing!