Add or change Azure administrator roles that manage the subscription or services
You can change the Azure administrator that manages your Azure subscription or manages the Azure services used in your subscription. To view Azure billing information and manage subscriptions, you must sign in to the Account Center as the Account Administrator.
Add an admin for a subscription
You can add an Azure administrator in the Azure portal or in the Azure classic portal.
To add someone as an admin for a subscription in the Azure portal, you give them the owner role. The owner role can only manage the resources in the subscription that you assigned. It doesn't have access privilege to other subscriptions. The owners you add through the Azure portal can't manage resource in the Azure classic portal.
- Sign in to the Azure portal.
On the Hub menu, select Subscription > the subscription that you want the admin to access.
In the subscription blade, select Access control (IAM)> Add.
Select Select a role > Owner.
Type the email address of the user you want to add as owner, click the user, and then click Select.
Azure classic portal
- Sign in to the Azure classic portal.
In the navigation pane, select Settings> Administrators> Add.
Type the email address of the person you want to add as Co-administrator and then select the subscription that you want the Co-administrator to access.
The following email address can be added as a Co-Administrator:
- Microsoft Account (formerly Windows Live ID)
You can use a Microsoft Account to sign in to all consumer-oriented Microsoft products and cloud services, such as Outlook (Hotmail), Skype (MSN), OneDrive, Windows Phone, and Xbox LIVE.
An organizational account is an account that is created under Azure Active Directory. The organizational account address has this format:
Change Service Administrator for a subscription
Only the Account Administrator can change the Service Administrator for a subscription.
- Sign in to Azure Account Center by using the Account Administrator.
- Select the subscription you want to change.
On the right side, click Edit subscription details.
In the SERVICE ADMINISTRATOR box, enter the email address of the new Service Administrator.
Change the Account Administrator
To transfer ownership of the Azure account to another account, see Transferring Ownership of an Azure subscription.
We strongly recommend that you don't delete or rename the Account Administrator's email address. You may see unexpected and undesirable behavior with the Azure account. You may not be able sign-in to Azure with that account, make changes to the account, or manage resources with that account.
Check the Account Administrator of the subscription
If you're not sure who the account administrator is for your subscription, use the following steps to find out.
- Sign in to the Azure portal.
- On the Hub menu, select Subscription.
- Select the subscription you want to check, and then look under Settings.
- Select Properties. The account administrator of the subscription is displayed in the Account Admin box.
Types of Azure admin accounts
Account Administrator, Service Administrator, and Co-administrator are the three kinds of administrator roles in Microsoft Azure. The following table describes the difference between these three administrative roles.
|Account Administrator (AA)||1 per Azure account||This is the person who signed up for or bought Azure subscriptions, and is authorized to access the Account Center and perform various management tasks. These include being able to create subscriptions, cancel subscriptions, change the billing for a subscription, and change the Service Administrator.|
|Service Administrator (SA)||1 per Azure subscription||This role is authorized to manage services in the Azure portal. By default, for a new subscription, the Account Administrator is also the Service Administrator.|
|Co-administrator (CA) in the Azure classic portal||200 per subscription||This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories.|
Azure Active Directory Role-based Access Control (RBAC) allows users to be added to multiple roles. For more information, see Azure Active Directory Role-based Access Control.
Limitations and restrictions for admin accounts
- Each subscription is associated with an Azure AD directory (also known as the Default Directory). To find the Default Directory the subscription is associated with, go to the Azure classic portal, select Settings > Subscriptions. Check the subscription ID to find the Default Directory.
- If you are signed in with a Microsoft Account, you can only add other Microsoft Accounts or users within the Default Directory as Co-Administrator.
- If you are signed in with an organizational account, you can add other organizational accounts in your organization as Co-Administrator. For example, firstname.lastname@example.org can add email@example.com as Service Administrator or Co-Administrator, but can't add firstname.lastname@example.org unless email@example.com is in Default Directory. Users signed in with organizational accounts can continue to add Microsoft Account users as Service Administrator or Co-Administrator.
Now that it is possible to sign in to Azure with an organizational account, here are the changes to Service Administrator and Co-administrator account requirements:
Sign in Method Add Microsoft Account or users within Default Directory as CA or SA? Add organizational account in the same organization as CA or SA? Add organizational account in different organization as CA or SA? Microsoft Account Yes No No Organizational Account Yes Yes No
Learn more about resource access control and Active Directory
- To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource access in Azure.
- For more information about Azure Active Directory, see How Azure subscriptions are associated with Azure Active Directory and Assigning administrator roles in Azure Active Directory.
Need help? Contact support.
If you still need help, contact support to get your issue resolved quickly.