You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Add or change Azure admin subscription roles | Microsoft Docs
3
-
description: Describes how to add or change Azure Co-Administrator, Service Administrator and Account Administrator
2
+
title: Add or change Azure subscription administrators | Microsoft Docs
3
+
description: Describes how to add or change an Azure subscription administrator using role-based access control (RBAC).
4
4
services: ''
5
5
documentationcenter: ''
6
6
author: genlin
@@ -14,112 +14,55 @@ ms.workload: na
14
14
ms.tgt_pltfrm: na
15
15
ms.devlang: na
16
16
ms.topic: conceptual
17
-
ms.date: 1/23/2019
17
+
ms.date: 02/10/2019
18
18
ms.author: banders
19
19
20
20
---
21
21
# Add or change Azure subscription administrators
22
22
23
-
To manage access to Azure resources, you must have the appropriate administrator role. This article describes how to add or change the administrator role for a user at the subscription level.
23
+
To manage access to Azure resources, you must have the appropriate administrator role. Azure has an authorization system called role-based access control (RBAC) with several built-in roles you can choose from. You can assign these roles at different scopes, such as management group, subscription, or resource group.
24
24
25
-
## What administrator role do I use?
25
+
Microsoft recommends that you manage access to resources using RBAC. However, if you are are still using the classic deployment model, you'll need to use a classic subscription administrator. For more information, see [Azure Resource Manager vs. classic deployment](../azure-resource-manager/resource-manager-deployment-model.md) and [Azure classic subscription administrators](../role-based-access-control/classic-administrators.md).
26
26
27
-
Azure has several different roles. To manage access to resources, you can use the classic subscription administrator roles, such as Service administrator and Co-administrator, or a newer authorization system called role-based access control (RBAC). To ensure better control and to simplify access management, we recommend that you use RBAC for all access management needs. If possible, we recommend that you reconfigure existing access policies using RBAC. For more information, see [What is role-based access control (RBAC)](../role-based-access-control/overview.md) and [Understand the different roles in Azure](../role-based-access-control/rbac-and-directory-admin-roles.md).
27
+
This article describes how add or change the administrator rolefor a user using RBAC at the subscription scope.
28
28
29
29
<aname="add-an-admin-for-a-subscription"></a>
30
30
31
-
## Add an RBAC Owner for a subscription in Azure portal
31
+
## Assign a user as an administrator of a subscription
32
32
33
-
To add someone as an administrator for an Azure subscription, assign them the [Owner](../role-based-access-control/built-in-roles.md#owner) role (an RBAC role) at the subscription scope. The Owner role can manage the resources in the subscription that you assigned and doesn't have access privilege to other subscriptions.
33
+
To make a user an administrator of an Azure subscription, assign them the [Owner](../role-based-access-control/built-in-roles.md#owner) role (an RBAC role) at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the right to delegate access to others. These steps are the same as any other role assignment.
34
34
35
-
1. Visit [**Subscriptions** in Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).
36
-
2. Select the subscription that you want to give access.
37
-
3. Select **Access control (IAM)** in the list.
38
-
4. Select **Add role assignment**.
39
-
(If the Add role assignment button is missing, you do not have permission to add permissions.)
40
-
5. In the **Role** box, select **Owner**.
41
-
6. In the **Assign access to** box, select **Azure AD user, group, or service principal**.
42
-
7. In the **Select** box, type the email address of the user you want to add as Owner. Select the user, and then select **Save**.
35
+
1. In the Azure portal, open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).
43
36
44
-
45
-
46
-
This gives the user full access to all resources including the right to delegate access to others. To give access at a different scope, like a resource group, visit the **Access control (IAM)** blade for that scope.
47
-
48
-
## Add or change Co-administrator
49
-
50
-
Only an [Owner](../role-based-access-control/built-in-roles.md#owner) can be added as a Co-administrator. Other users with roles such as [Contributor](../role-based-access-control/built-in-roles.md#contributor) and [Reader](../role-based-access-control/built-in-roles.md#reader) cannot be added as Co-administrators.
51
-
52
-
> [!TIP]
53
-
> You only need to add the Owner as a Co-administrator if the user needs to manage Azure classic deployments. We recommend using RBAC for all other purposes.
54
-
55
-
1. If you haven't already, add someone as an Owner following instructions from above.
56
-
2.**Right-click** the Owner user you just added, and then select **Add as co-administrator**. If you do not see the **Add as co-administrator** option, refresh the page or try another Internet browser.
57
-
58
-
59
-
60
-
To remove the Co-administrator permission, **right-click** the Co-administrator user and then select **Remove co-administrator**.
61
-
62
-
63
-
64
-
### Adding a guest user as a Co-administrator
37
+
1. Click the subscription where you want to grant access.
65
38
66
-
[Guest users](../active-directory/b2b/b2b-quickstart-add-guest-users-portal.md) that have been assigned the Co-administrator role might see some differences as compared to member users with the Co-administrator role. Consider the following scenario:
39
+
1. Click **Access control (IAM)**.
67
40
68
-
- User A with an Azure AD Work or School account is a Service administrator for an Azure subscription.
69
-
- User B has a Microsoft account.
70
-
- User A assigns the Co-administrator role to user B.
71
-
- User B can do almost everything, but is unable to register applications or look up users in the Azure AD directory.
41
+
1. Click the **Role assignments** tab to view all the role assignments for this subscription.
72
42
73
-
You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Azure AD as compared to member users. For example, member users can read other users in Azure AD and guest users cannot. Member users can register new service principals in Azure AD and guest users cannot. If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD administrator roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/users-groups-roles/directory-assign-admin-roles.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/users-groups-roles/directory-assign-admin-roles.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md).
43
+
74
44
75
-
Note that the [built-in roles for Azure resources](../role-based-access-control/built-in-roles.md) are different than the [Azure AD administrator roles](../active-directory/users-groups-roles/directory-assign-admin-roles.md). The built-in roles don't grant any access to Azure AD. For more information, see [Understand the different roles](../role-based-access-control/rbac-and-directory-admin-roles.md).
45
+
1. Click **Add** > **Add role assignment**to open the **Add role assignment** pane.
If you don't have permissions to assign roles, the option will be disabled.
78
48
79
-
## Change the Service administrator for an Azure subscription
49
+
1. In the **Role** drop-down list, select the **Owner** role.
80
50
81
-
Only the Account administrator can change the Service administrator for a subscription. By default, when you sign up, the Service administrator is the same as the Account administrator. If the Service administrator is changed to a different user, then the Account administrator loses access to Azure portal. However, the Account administrator can always use Account Center to change the Service administrator back to themselves.
51
+
1. In the **Select** list, select a user. If you don't see the user in the list, you can type in the **Select** box to search the directory for display names and email addresses.
82
52
83
-
1. Make sure your scenario is supported by checking the [limits for changing Service administrators](#limits).
84
-
1. Sign in to [Account Center](https://account.windowsazure.com/subscriptions) as the Account administrator.
85
-
1. Select a subscription.
86
-
1. On the right side, select **Edit subscription details**.
87
-
88
-
89
-
1. In the **SERVICE ADMINISTRATOR** box, enter the email address of the new Service administrator.
90
-
91
-
92
-
93
-
<aname="limits"></a>
94
-
95
-
### Limitations for changing Service administrators
96
-
97
-
* Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated with, go to [**Subscriptions**](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade), then select a subscription to see the directory.
98
-
* If you are signed in with a Work or School account, you can add other accounts in your organization as Service administrator. For example, abby@contoso.com can add bob@contoso.com as Service administrator, but can't add john@notcontoso.com unless john@notcontoso.com has presence in the contoso.com directory. Users signed in with Work or School accounts can continue to add Microsoft Account users as Service administrator.
99
-
100
-
| Sign-in Method | Add Microsoft Account user as a Service administrator? | Add Work or School account in the same organization as a Service administrator? | Add Work or School account in different organization as a Service administrator? |
101
-
| --- | --- | --- | --- |
102
-
| Microsoft Account |Yes |No |No |
103
-
| Work or School Account |Yes |Yes |No |
104
-
105
-
## Change the Account administrator for an Azure subscription
106
-
107
-
The Account administrator is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription. To change the Account administrator of a subscription, see [Transfer ownership of an Azure subscription to another account](billing-subscription-transfer.md).
110
54
111
-
**Not sure who the Account administrator is?** Follow these steps:
55
+
1. Click **Save** to assign the role.
112
56
113
-
1. Visit [**Subscriptions** in Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).
114
-
1. Select the subscription you want to check, and then look under **Settings**.
115
-
1. Select **Properties**. The Account administrator of the subscription is displayed in the **Account Admin** box.
57
+
After a few moments, the user is assigned the Owner role at the subscription scope.
116
58
117
-
## Learn more about resource access control and Active Directory
59
+
## Next steps
118
60
119
-
* To learn more about RBAC, see [What is role-based access control (RBAC)?](../role-based-access-control/overview.md)
120
-
* To learn more about all the roles in Azure, see [Understand the different roles in Azure](../role-based-access-control/rbac-and-directory-admin-roles.md).
121
-
* For more information about Azure Active Directory, see [How Azure subscriptions are associated with Azure Active Directory](../active-directory/active-directory-how-subscriptions-associated-directory.md) and [Assigning administrator roles in Azure Active Directory](../active-directory/users-groups-roles/directory-assign-admin-roles.md).
61
+
*[What is role-based access control (RBAC)?](../role-based-access-control/overview.md)
62
+
*[Understand the different roles in Azure](../role-based-access-control/rbac-and-directory-admin-roles.md)
63
+
*[How to: Associate or add an Azure subscription to Azure Active Directory](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
64
+
*[Administrator role permissions in Azure Active Directory](../active-directory/users-groups-roles/directory-assign-admin-roles.md)
122
65
123
-
## Need help? Contact us.
66
+
## Need help? Contact support
124
67
125
-
If you have questions or need help, [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
68
+
If you still need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your issue resolved quickly.
0 commit comments