Allowing User1 to Assign Policy to Azure Tenant Root Management Group

B

The following chart shows the list of roles and the supported actions on management groups.

Note:

Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.

The correct answer is D. Create a new management group and delegate User1 as the owner of the new management group.

Explanation: Azure management groups provide a hierarchical structure that allows you to manage access, policies, and compliance across multiple subscriptions. The root management group is the highest level in the hierarchy, and it represents the Azure AD tenant.

To assign a policy to the root management group, you need to have the Owner role for the root management group. However, the Owner role for the root management group is not directly assignable. Instead, you need to create a new management group that is a child of the root management group, and delegate ownership of the new management group to the user.

Option A and B are incorrect because the Owner role for the Azure subscription does not provide the necessary permissions to assign a policy to the root management group.

Option C is also incorrect because the Global administrator role does not provide the necessary permissions to assign a policy to the root management group.

Therefore, the correct answer is D. Create a new management group and delegate User1 as the owner of the new management group. This will allow User1 to assign policies to the new management group, including policies that apply to the root management group.