How to add or change Azure administrator roles

Account Administrator, Service Administrator, and Co-administrator are the three kinds of administrator roles in Microsoft Azure. To view the billing information and manage the subscriptions, you must sign in to the Account Center as the account administrator. The following table describes the difference between these three administrative roles.

Administrative role Limit Description
Account Administrator (AA) 1 per Azure account This is the person who signed up for or bought Azure subscriptions, and is authorized to access the Account Center and perform various management tasks. These include being able to create subscriptions, cancel subscriptions, change the billing for a subscription, and change the Service Administrator.
Service Administrator (SA) 1 per Azure subscription This role is authorized to manage services in the Azure portal. By default, for a new subscription, the Account Administrator is also the Service Administrator.
Co-administrator (CA) in the Azure classic portal 200 per subscription This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories.

Azure Active Directory Role-based Access Control (RBAC) allows users to be added to multiple roles. For more information, see Azure Active Directory Role-based Access Control.

How to add an admin for a subscription

Azure portal

To add someone as an admin for a subscription in the Azure portal, you give them the owner role. The owner role can only manage the resources in the subscription that you assigned. This role does not have access privilege to other subscriptions. The owners you add through the Azure portal cannot manage resource in the Azure classic portal.

  1. Sign in to the Azure portal.
  2. On the Hub menu, select Subscription > the subscription that you want the admin to access.

    newselectsub

  3. In the subscription blade, select Access control (IAM)> Add.

    newsettings

  4. Select Select a role > Owner.

    newselectrole

  5. Type the email address of the user you want to add as owner, click the user, and then click Select.

    newadduser

Azure classic portal

  1. Sign in to the Azure classic portal.
  2. In the navigation pane, select Settings> Administrators> Add.

    addcodmin

  3. Type the email address of the person you want to add as Co-administrator and then select the subscription that you want the Co-administrator to access.

    addcoadmin2

The following email address can be added as a Co-Administrator:

  • Microsoft Account (formerly Windows Live ID)
    You can use a Microsoft Account to sign in to all consumer-oriented Microsoft products and cloud services, such as Outlook (Hotmail), Skype (MSN), OneDrive, Windows Phone, and Xbox LIVE.
  • Organizational account
    An organizational account is an account that is created under Azure Active Directory. The organizational account address has this format:

    user@<your domain>.onmicrosoft.com

Limitations and restrictions to administrator accounts

  • Each subscription is associated with an Azure AD directory (also known as the Default Directory). To find the Default Directory the subscription is associated with, go to the Azure classic portal, select Settings > Subscriptions. Check the subscription ID to find the Default Directory.
  • If you are signed in with a Microsoft Account, you can only add other Microsoft Accounts or users within the Default Directory as Co-Administrator.
  • If you are signed in with an organizational account, you can add other organizational accounts in your organization as Co-Administrator. For example, abby@contoso.com can add bob@contoso.com as Service Administrator or Co-Administrator, but cannot add john@notcontoso.com unless john@noncontoso.com is the user in Default Directory. Users signed in with organizational accounts can continue to add Microsoft Account users as Service Administrator or Co-Administrator.
  • Now that it is possible to sign in to Azure with an organizational account, here are the changes to Service Administrator and Co-administrator account requirements:

    Sign in Method Add Microsoft Account or users within Default Directory as CA or SA? Add organizational account in the same organization as CA or SA? Add organizational account in different organization as CA or SA?
    Microsoft Account Yes No No
    Organizational Account Yes Yes No

How to change Service Administrator for a subscription

Only the Account Administrator can change the Service Administrator for a subscription.

  1. Sign in to Azure Account Center by using the Account Administrator.
  2. Select the subscription you want to change.
  3. On the right side, click Edit subscription details.

    editsub

  4. In the SERVICE ADMINISTRATOR box, enter the email address of the new Service Administrator.

    changeSA

How to change the Account Administrator

To transfer ownership of the Azure account to another account, see Transferring Ownership of an Azure subscription.

How to check the Account Administrator of the subscription

If you're not sure who the account administrator is for your subscription, use the following steps to find out.

  1. Sign in to the Azure portal.
  2. On the Hub menu, select Subscription.
  3. Select the subscription you want to check, and then look under Settings.
  4. Select Properties. The account administrator of the subscription is displayed in the Account Admin box.

Learn more about resource access control and Active Directory

Need help? Contact support.

If you still need help, contact support to get your issue resolved quickly.