Issue

When scanning an Azure Tenant the agent fails to scan management groups and the following error or warning is seen


"Error executing the command 'Get-AzManagementGroupDetails'. The client 'name' with object id 'identifier' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management' or the scope is invalid. If access was recently granted, please refresh your credentials."



Cause

Global Administrators and Global Readers in Azure Active Directory (Azure AD) may not have access to all management groups in the directory.



More Information

This behaviour is by design in Microsoft Azure.



Resolution
For more information about granting permissions to management groups see the following article.

https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin