Add or change Azure subscription administrators
Azure classic subscription admins and Azure Role-Based Access Control (RBAC) are two systems for managing access to Azure resources:
- Classic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators.
- When you sign up for a new Azure subscription, your account is set as both the Account Administrator and Service Administrator by default.
- Co-Administrators can be added after sign up.
- RBAC is a newer system that offers fine-grained access management with many built-in roles, flexibility of scope, and custom roles.
- However, users with only RBAC roles and no classic subscription admin roles cannot manage Azure classic deployments.
To ensure better control and to simplify access management, we recommend that you use RBAC for all access management needs. If possible, we recommend that you reconfigure existing access policies using RBAC.
Add an RBAC Owner admin for a subscription in Azure portal
To add someone as an admin for Azure subscription service administration, give them an RBAC Owner role to the subscription. The Owner role can manage the resources in the subscription that you assigned and doesn't have access privilege to other subscriptions.
- Visit Subscriptions in Azure portal.
- Select the subscription that you want to give access.
- Select Access control (IAM) in the menu.
- In the Role box, select Owner.
- In the Assign access to box, select Azure AD user, group, or application.
In the Select box, type the email address of the user you want to add as Owner. Select the user, and then select Save.
This gives the user full access to all resources including the right to delegate access to others. To give access at a different scope, like a resource group, visit the IAM menu for that scope.
Add or change Co-administrator
Only an Owner can be added as a Co-administrator. Other users with roles such as Contributor and Reader cannot be added as Co-administrators.
You only need to add the "Owner" account as co-administrator if the user needs to manage Azure classic deployments. We recommend using RBAC for all other purposes.
- If you haven't already, add someone as an Owner following instructions from above.
Right-click the Owner user you just added, and then select Add as co-administrator. If you do not see the Add as co-administrator option, refresh the page or try another Internet browser.
To remove the Co-administrator permission, right-click the "Co-administrator" user and then select Remove co-administrator.
Change the Service Administrator for an Azure subscription
Only the Account Administrator can change the Service Administrator for a subscription. By default, when you sign up, the Service Administrator is the same as the Account Administrator. If the Service Administrator is changed to a different user, then the Account Administrator loses access to Azure portal. However, the Account Administrator can always use Account Center to change the Service Administrator back to themselves.
- Make sure your scenario is supported by checking the limits for changing Service Administrators.
- Sign in to Account Center as the Account Administrator.
- Select a subscription.
On the right side, select Edit subscription details.
In the SERVICE ADMINISTRATOR box, enter the email address of the new Service Administrator.
Limitations for changing Service Administrators
- Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated with, go to Subscriptions, then select a subscription to see the directory.
If you are signed in with a Work or School account, you can add other accounts in your organization as Service Administrator. For example, firstname.lastname@example.org can add email@example.com as Service Administrator, but can't add firstname.lastname@example.org unless email@example.com has presence in the contoso.com directory. Users signed in with Work or School accounts can continue to add Microsoft Account users as Service Administrator.
Sign-in Method Add Microsoft Account user as SA? Add Work or School account in the same organization as SA? Add Work or School account in different organization as SA? Microsoft Account Yes No No Work or School Account Yes Yes No
Change the Account Administrator for an Azure subscription
The Account Admin is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription. To change the Account Administrator of a subscription, see Transfer ownership of an Azure subscription to another account.
Not sure who the Account Administrator is? Follow these steps:
- Visit Subscriptions in Azure portal.
- Select the subscription you want to check, and then look under Settings.
- Select Properties. The Account Administrator of the subscription is displayed in the Account Admin box.
Types of classic subscription admins
Account Administrator, Service Administrator, and Co-administrator are the three kinds of classic subscription administrator roles in Azure. The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator. Then, additional Co-Administrators can be added. The following table describes exact differences between these three administrative roles.
For better control and fine-grained access management, we recommend using Azure Role-based Access Control (RBAC), which allows users to be added to multiple roles. To learn more, see Azure Active Directory Role-based Access Control.
|Classic subscription administrator||Limit||Description|
|Account Administrator (AA)||1 per Azure account||This is the user who signed up for the Azure subscription, and is authorized to access the Account Center and perform various management tasks. These include being able to create new subscriptions, cancel subscriptions, change the billing for a subscription, and change the Service Administrator. Conceptually, the Account Admin is the billing owner of the subscription. In RBAC, the Account Administrator isn't assigned a role.|
|Service Administrator (SA)||1 per Azure subscription||This role is authorized to manage services in the Azure portal. By default, for a new subscription, the Account Administrator is also the Service Administrator. In RBAC, the Owner role is given to the Service Administrator at the subscription scope.|
|Co-administrator (CA)||200 per subscription||This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories. In RBAC, the Owner role is given to the Co-Administrator at the subscription scope.|
Learn more about resource access control and Active Directory
- To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource access in Azure.
- For more information about Azure Active Directory, see How Azure subscriptions are associated with Azure Active Directory and Assigning administrator roles in Azure Active Directory.
Need help? Contact support.
If you still need help, contact support to get your issue resolved quickly.