Add or change Azure subscription administrators
To manage access to Azure resources, you must have the appropriate administrator role. Azure has an authorization system called role-based access control (RBAC) with several built-in roles you can choose from. You can assign these roles at different scopes, such as management group, subscription, or resource group. By default, the person who creates a new Azure subscription can assign other users administrative access to a subscription.
This article describes how add or change the administrator role for a user using RBAC at the subscription scope.
Microsoft recommends that you manage access to resources using RBAC. However, if you are still using the classic deployment model and managing the classic resources by using Azure Service Management PowerShell Module, you'll need to use a classic administrator.
If you only use the Azure portal to manage the classic resources, you don't need to use the classic administrator.
Assign a subscription administrator
To make a user an administrator of an Azure subscription, an existing administrator assigns them the Owner role (an RBAC role) at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the right to delegate access to others. These steps are the same as any other role assignment.
If you're not sure who the account administrator is for a subscription, use the following steps to find out.
- Open the Subscriptions page in the Azure portal.
- Select the subscription you want to check, and then look under Settings.
- Select Properties. The account administrator of the subscription is displayed in the Account Admin box.
To assign a user as an administrator
Sign in to the Azure portal as the subscription owner and open Subscriptions.
Click the subscription where you want to grant access.
Click Access control (IAM).
Click the Role assignments tab to view all the role assignments for this subscription.
Click Add > Add role assignment to open the Add role assignment pane.
If you don't have permissions to assign roles, the option will be disabled.
In the Role drop-down list, select the Owner role.
In the Select list, select a user. If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.
Click Save to assign the role.
After a few moments, the user is assigned the Owner role at the subscription scope.
- What is role-based access control (RBAC)?
- Understand the different roles in Azure
- How to: Associate or add an Azure subscription to Azure Active Directory
- Administrator role permissions in Azure Active Directory
Need help? Contact support
If you still need help, contact support to get your issue resolved quickly.