Skip to content

Files

Latest commit

rolyonrolyon
Took all billing article updates to fix merge conflict
Nov 29, 2018
76dafd4 · Nov 29, 2018

History

History
128 lines (85 loc) · 10.1 KB

billing-add-change-azure-subscription-administrator.md

File metadata and controls

128 lines (85 loc) · 10.1 KB
title description services documentationcenter author manager editor tags ms.assetid ms.service ms.workload ms.tgt_pltfrm ms.devlang ms.topic ms.date ms.author
Add or change Azure admin subscription roles | Microsoft Docs
Describes how to add or change Azure Co-Administrator, Service Administrator and Account Administrator
genlin
adpick
billing
13a72d76-e043-4212-bcac-a35f4a27ee26
billing
na
na
na
conceptual
10/19/2018
cwatson

Add or change Azure subscription administrators

To manage access to Azure resources, you must have the appropriate administrator role. This article describes how to add or change the administrator role for a user at the subscription level.

[!div class="nextstepaction"] Help improve Azure billing docs

What administrator role do I use?

Azure has several different roles. To manage access to resources, you can use the classic subscription administrator roles, such as Service administrator and Co-administrator, or a newer authorization system called role-based access control (RBAC). To ensure better control and to simplify access management, we recommend that you use RBAC for all access management needs. If possible, we recommend that you reconfigure existing access policies using RBAC. For more information, see What is role-based access control (RBAC) and Understand the different roles in Azure.

Add an RBAC Owner for a subscription in Azure portal

To add someone as an administrator for an Azure subscription, assign them the Owner role (an RBAC role) at the subscription scope. The Owner role can manage the resources in the subscription that you assigned and doesn't have access privilege to other subscriptions.

  1. Visit Subscriptions in Azure portal.

  2. Select the subscription that you want to give access.

  3. Select Access control (IAM) in the list.

  4. Select Add role assignment. (If the Add role assignment button is missing, you do not have permission to add permissions.)

  5. In the Role box, select Owner.

  6. In the Assign access to box, select Azure AD user, group, or service principal.

  7. In the Select box, type the email address of the user you want to add as Owner. Select the user, and then select Save.

    Screenshot that shows the Owner role selected

This gives the user full access to all resources including the right to delegate access to others. To give access at a different scope, like a resource group, visit the Access control (IAM) blade for that scope.

Add or change Co-administrator

Only an Owner can be added as a Co-administrator. Other users with roles such as Contributor and Reader cannot be added as Co-administrators.

Tip

You only need to add the Owner as a Co-administrator if the user needs to manage Azure classic deployments. We recommend using RBAC for all other purposes.

  1. If you haven't already, add someone as an Owner following instructions from above.

  2. Right-click the Owner user you just added, and then select Add as co-administrator. If you do not see the Add as co-administrator option, refresh the page or try another Internet browser.

    Screenshot that adds co-administrator

    To remove the Co-administrator permission, right-click the Co-administrator user and then select Remove co-administrator.

    Screenshot that removes co-administrator

Adding a guest user as a Co-administrator

Guest users that have been assigned the Co-administrator role might see some differences as compared to member users with the Co-administrator role. Consider the following scenario:

  • User A with an Azure AD Work or School account is a Service administrator for an Azure subscription.
  • User B has a Microsoft account.
  • User A assigns the Co-administrator role to user B.
  • User B can do almost everything, but is unable to register applications or look up users in the Azure AD directory.

You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Azure AD as compared to member users. For example, member users can read other users in Azure AD and guest users cannot. Member users can register new service principals in Azure AD and guest users cannot. If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD administrator roles the guest user needs. For example, in the previous scenario, you could assign the Directory Readers role to read other users and assign the Application Developer role to be able to create service principals. For more information about member and guest users and their permissions, see What are the default user permissions in Azure Active Directory?.

Note that the built-in roles for Azure resources are different than the Azure AD administrator roles. The built-in roles don't grant any access to Azure AD. For more information, see Understand the different roles.

Change the Service administrator for an Azure subscription

Only the Account administrator can change the Service administrator for a subscription. By default, when you sign up, the Service administrator is the same as the Account administrator. If the Service administrator is changed to a different user, then the Account administrator loses access to Azure portal. However, the Account administrator can always use Account Center to change the Service administrator back to themselves.

  1. Make sure your scenario is supported by checking the limits for changing Service administrators.

  2. Sign in to Account Center as the Account administrator.

  3. Select a subscription.

  4. On the right side, select Edit subscription details.

    Screenshot showing the Edit subscription button in Account Center

  5. In the SERVICE ADMINISTRATOR box, enter the email address of the new Service administrator.

    Screenshot showing the box to change the Service Admin email

Limitations for changing Service administrators

  • Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated with, go to Subscriptions, then select a subscription to see the directory.

  • If you are signed in with a Work or School account, you can add other accounts in your organization as Service administrator. For example, [email protected] can add [email protected] as Service administrator, but can't add [email protected] unless [email protected] has presence in the contoso.com directory. Users signed in with Work or School accounts can continue to add Microsoft Account users as Service administrator.

    Sign-in Method Add Microsoft Account user as a Service administrator? Add Work or School account in the same organization as a Service administrator? Add Work or School account in different organization as a Service administrator?
    Microsoft Account Yes No No
    Work or School Account Yes Yes No

Change the Account administrator for an Azure subscription

The Account administrator is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription. To change the Account administrator of a subscription, see Transfer ownership of an Azure subscription to another account.

Not sure who the Account administrator is? Follow these steps:

  1. Visit Subscriptions in Azure portal.
  2. Select the subscription you want to check, and then look under Settings.
  3. Select Properties. The Account administrator of the subscription is displayed in the Account Admin box.

Learn more about resource access control and Active Directory

Need help? Contact us.

If you have questions or need help, create a support request.