Error getting the management groups. Access is denied
Issue
When scanning an Azure Tenant the agent fails to scan management groups and the following error or warning is seen
Error getting the management groups. Access is denied.
Further diagnostics information maybe be seen:
The client 'name' with object id 'identifier' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management' or the scope is invalid. If access was recently granted, please refresh your credentials."
Cause
By default even members of the Global Reader role do not have access to all management groups in the directory.
More Information
This behaviour is by design in Microsoft Azure.
Resolution
For more information about granting permissions to management groups see the following article.
https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin