Permissions inherited to subscriptions, resource groups, etc, from Management Group (MG) assignments do not appear in Azure Access Control reports. In any of the access reports, only permissions inherited from root, or assigned at the subscription level on down appear. Permissions assigned at the Management Group level are invisible. Also there are no Access Control reports specifically mentioning Management Groups.
解决办法
Enhancement Request # 320215 - Add collection of Management Group Permissions has been created to include this in a future release of Enterprise Reporter.