Azure classic subscription administrators

Microsoft recommends that you manage access to Azure resources using role-based access control (RBAC). However, if you are still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator. For more information, see Azure Resource Manager vs. classic deployment.

This article describes how to add or change the Co-Administrator and Service Administrator roles, and how to view the Account Administrator.

Add a Co-Administrator

Tip

You only need to add a Co-Administrator if the user needs to manage Azure classic deployments by using Azure Service Management PowerShell Module. If the user only uses the Azure portal to manage the classic resources, you won’t need to add the classic administrator for the user.

  1. Sign in to the Azure portal as a Service Administrator or Co-Administrator.

  2. Open Subscriptions and select a subscription.

    Co-Administrators can only be assigned at the subscription scope.

  3. Click Access control (IAM).

  4. Click the Classic administrators tab.

    Screenshot that opens Classic administrators

  5. Click Add > Add co-administrator to open the Add co-administrators pane.

    If the Add co-administrator option is disabled, you do not have permissions.

  6. Select the user that you want to add and click Add.

    Screenshot that adds co-administrator

Add a guest user as a Co-Administrator

To add a guest user as a Co-Administrator, follow the same steps as in the previous Add a Co-Administrator section. The guest user must meet the following criteria:

  • The guest user must have a presence in your directory. This means that the user was invited to your directory and accepted the invite.

For more information, about how to add a guest user to your directory, see Add Azure Active Directory B2B collaboration users in the Azure portal.

Differences for guest users

Guest users that have been assigned the Co-Administrator role might see some differences as compared to member users with the Co-Administrator role. Consider the following scenario:

  • User A with an Azure AD account (work or school account) is a Service Administrator for an Azure subscription.
  • User B has a Microsoft account.
  • User A assigns the Co-Administrator role to user B.
  • User B can do almost everything, but is unable to register applications or look up users in the Azure AD directory.

You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Azure AD as compared to member users. For example, member users can read other users in Azure AD and guest users cannot. Member users can register new service principals in Azure AD and guest users cannot.

If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD administrator roles the guest user needs. For example, in the previous scenario, you could assign the Directory Readers role to read other users and assign the Application Developer role to be able to create service principals. For more information about member and guest users and their permissions, see What are the default user permissions in Azure Active Directory?. For more information about granting access for guest users, see Manage access to Azure resources for external guest users using RBAC.

Note that the built-in roles for Azure resources are different than the Azure AD administrator roles. The built-in roles don't grant any access to Azure AD. For more information, see Understand the different roles.

For information that compares member users and guest users, see What are the default user permissions in Azure Active Directory?.

Remove a Co-Administrator

  1. Sign in to the Azure portal as a Service Administrator or Co-Administrator.

  2. Open Subscriptions and select a subscription.

  3. Click Access control (IAM).

  4. Click the Classic administrators tab.

  5. Add a checkmark next to the Co-Administrator you want to remove.

  6. Click Remove.

  7. In the message box that appears, click Yes.

    Screenshot that removes co-administrator

Change the Service Administrator

Only the Account Administrator can change the Service Administrator for a subscription. By default, when you sign up for an Azure subscription, the Service Administrator is the same as the Account Administrator. The user with the Account Administrator role has no access to the Azure portal. The user with the Service Administrator role has full access to the Azure portal. If the Account Administrator and Service Administrator are the same user and you change the Service Administrator to a different user, then the Account Administrator loses access to Azure portal. However, the Account Administrator can always use Account Center to change the Service Administrator back to themselves.

There are two ways to change the Service Administrator. You can change in the Azure portal or Account Center.

Azure portal

  1. Make sure your scenario is supported by checking the limitations for changing Service Administrators.

  2. Sign in to the Azure portal as the Account Administrator.

  3. Open Subscriptions and select a subscription.

  4. Click Properties.

    Screenshot showing the Account Administrator

  5. At the top, click Service Admin to open the Service administrator pane.

    If the Service Admin button is disabled, you do not have permissions. Only the user who is the Account Administrator can change the Service Administrator.

  6. Select a new Service Administrator and then click Save.

Account Center

  1. Make sure your scenario is supported by checking the limitations for changing Service Administrators.

  2. Sign in to Account Center as the Account Administrator.

  3. Click a subscription.

  4. On the right side, click Edit subscription details.

    Screenshot showing the Edit subscription button in Account Center

  5. In the SERVICE ADMINISTRATOR box, enter the email address of the new Service Administrator.

    Screenshot showing the box to change the Service Admin email

  6. Click the checkmark to save the change.

Limitations for changing the Service Administrator

There can only be one Service Administrator per Azure subscription. Changing the Service Administrator will behave differently depending on whether the Account Administrator is a Microsoft account or whether it is an Azure AD account (work or school account).

Account Administrator account Can change the Service Administrator to a different Microsoft account? Can change the Service Administrator to an Azure AD account in the same directory? Can change the Service Administrator to an Azure AD account in a different directory?
Microsoft account Yes No No
Azure AD account Yes Yes No

If the Account Administrator is an Azure AD account, you can change the Service Administrator to an Azure AD account in the same directory, but not in a different directory. For example, abby@contoso.com can change the Service Administrator to bob@contoso.com, but cannot change the Service Administrator to john@notcontoso.com unless john@notcontoso.com has a presence in the contoso.com directory.

For more information about Microsoft accounts and Azure AD accounts, see What is Azure Active Directory?.

View the Account Administrator

The Account Administrator is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription. To change the Account Administrator of a subscription, see Transfer ownership of an Azure subscription to another account.

Follow these steps to view the Account Administrator.

  1. Sign in to the Azure portal.

  2. Open Subscriptions and select a subscription.

  3. Click Properties.

    The Account Administrator of the subscription is displayed in the Account Admin box.

    Screenshot showing the Account Administrator

Next steps