When scanning an Azure Tenant the agent fails to scan management groups and the following error or warning is seen

Error getting the management groups. Access is denied. 

Further diagnostics information maybe be seen:

The client 'name' with object id 'identifier' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management' or the scope is invalid. If access was recently granted, please refresh your credentials."


By default even members of the Global Reader role do not have access to all management groups in the directory.

More Information

This behaviour is by design in Microsoft Azure.

For more information about granting permissions to management groups see the following article.