How to add or change Azure administrator roles
Account Administrator, Service Administrator, and Co-administrator are the three kinds of administrator roles in Microsoft Azure. To view the billing information and manage the subscriptions, you must sign in to the Account Center as the account administrator. The following table describes the difference between these three administrative roles.
|Account Administrator (AA)||1 per Azure account||This is the person who signed up for or bought Azure subscriptions, and is authorized to access the Account Center and perform various management tasks. These include being able to create subscriptions, cancel subscriptions, change the billing for a subscription, and change the Service Administrator.|
|Service Administrator (SA)||1 per Azure subscription||This role is authorized to manage services in the Azure portal. By default, for a new subscription, the Account Administrator is also the Service Administrator.|
|Co-administrator (CA) in the Azure classic portal||200 per subscription||This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories.|
Azure Active Directory Role-based Access Control (RBAC) allows users to be added to multiple roles. For more information, see Azure Active Directory Role-based Access Control.
How to add an admin for a subscription
To add someone as an admin for a subscription in the Azure portal, you give them the owner role. The owner role can only manage the resources in the subscription that you assigned. This role does not have access privilege to other subscriptions. The owners you add through the Azure portal cannot manage resource in the Azure classic portal.
- Sign in to the Azure portal.
On the Hub menu, select Subscription > the subscription that you want the admin to access.
In the subscription blade, select Access control (IAM)> Add.
Select Select a role > Owner.
Type the email address of the user you want to add as owner, click the user, and then click Select.
Azure classic portal
- Sign in to the Azure classic portal.
In the navigation pane, select Settings> Administrators> Add.
Type the email address of the person you want to add as Co-administrator and then select the subscription that you want the Co-administrator to access.
The following email address can be added as a Co-Administrator:
- Microsoft Account (formerly Windows Live ID)
You can use a Microsoft Account to sign in to all consumer-oriented Microsoft products and cloud services, such as Outlook (Hotmail), Skype (MSN), OneDrive, Windows Phone, and Xbox LIVE.
An organizational account is an account that is created under Azure Active Directory. The organizational account address has this format:
Limitations and restrictions to administrator accounts
- Each subscription is associated with an Azure AD directory (also known as the Default Directory). To find the Default Directory the subscription is associated with, go to the Azure classic portal, select Settings > Subscriptions. Check the subscription ID to find the Default Directory.
- If you are signed in with a Microsoft Account, you can only add other Microsoft Accounts or users within the Default Directory as Co-Administrator.
- If you are signed in with an organizational account, you can add other organizational accounts in your organization as Co-Administrator. For example, firstname.lastname@example.org can add email@example.com as Service Administrator or Co-Administrator, but cannot add firstname.lastname@example.org unless email@example.com is the user in Default Directory. Users signed in with organizational accounts can continue to add Microsoft Account users as Service Administrator or Co-Administrator.
Now that it is possible to sign in to Azure with an organizational account, here are the changes to Service Administrator and Co-administrator account requirements:
Sign in Method Add Microsoft Account or users within Default Directory as CA or SA? Add organizational account in the same organization as CA or SA? Add organizational account in different organization as CA or SA? Microsoft Account Yes No No Organizational Account Yes Yes No
How to change Service Administrator for a subscription
Only the Account Administrator can change the Service Administrator for a subscription.
- Sign in to Azure Account Center by using the Account Administrator.
- Select the subscription you want to change.
On the right side, click Edit subscription details.
In the SERVICE ADMINISTRATOR box, enter the email address of the new Service Administrator.
How to change the Account Administrator
To transfer ownership of the Azure account to another account, see Transferring Ownership of an Azure subscription.
How to check the Account Administrator of the subscription
If you're not sure who the account administrator is for your subscription, use the following steps to find out.
- Sign in to the Azure portal.
- On the Hub menu, select Subscription.
- Select the subscription you want to check, and then look under Settings.
- Select Properties. The account administrator of the subscription is displayed in the Account Admin box.
Learn more about resource access control and Active Directory
- To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource access in Azure.
- For more information on how Azure Active Directory relates to your Azure subscription, see How Azure subscriptions are associated with Azure Active Directory and Assigning administrator roles in Azure Active Directory.
Need help? Contact support.
If you still need help, contact support to get your issue resolved quickly.