Classic subscription administrator roles vs. Azure RBAC roles vs. Azure AD administrator roles

If you are new to Azure, you may find it a little challenging to understand all the different roles in Azure. This article helps explain the following roles and when you would use each:

  • Classic subscription administrator roles
  • Azure role-based access control (RBAC) roles
  • Azure Active Directory (Azure AD) administrator roles

To better understand roles in Azure, it helps to know some of the history. When Azure was initially released, access to resources was managed with just three administrator roles: Account Administrator, Service Administrator, and Co-Administrator. Later, role-based access control (RBAC) for Azure resources was added. Azure RBAC is a newer authorization system that provides fine-grained access management to Azure resources. RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. To manage resources in Azure AD, such as users, groups, and domains, there are several Azure AD administrator roles.

The following diagram is a high-level view of how the classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles are related.

The different roles in Azure

Classic subscription administrator roles

Account Administrator, Service Administrator, and Co-Administrator are the three classic subscription administrator roles in Azure. Classic subscription administrators have full access to the Azure subscription. They can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model APIs. The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator. Then, additional Co-Administrators can be added. The Service Administrator and the Co-Administrators have the equivalent access of users who have been assigned the Owner role (an Azure RBAC role) at the subscription scope. The following table describes the differences between these three classic subscription administrative roles.

Classic subscription administrator Limit Permissions Notes
Account Administrator 1 per Azure account
  • Access the Azure Account Center
  • Manage all subscriptions in an account
  • Create new subscriptions
  • Cancel subscriptions
  • Change the billing for a subscription
  • Change the Service Administrator
Conceptually, the billing owner of the subscription.
Service Administrator 1 per Azure subscription
  • Manage services in the Azure portal
  • Assign users to the Co-Administrator role
By default, for a new subscription, the Account Administrator is also the Service Administrator.
The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.
Co-Administrator 200 per subscription
  • Same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories
  • Assign users to the Co-Administrator role, but cannot change the Service Administrator
The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.

In the Azure portal, you can see who is assigned to the Account Administrator and Service Administrator by viewing the properties of your subscription.

Account Administrator and Service Administrator in the Azure portal

For information about how to add or change subscription administrators, see Add or change Azure subscription administrators in the Azure Billing documentation.

Azure account and Azure subscriptions

An Azure account represents a billing relationship. An Azure account is a user identity, one or more Azure subscriptions, and an associated set of Azure resources. The person who creates the account is the Account Administrator for all subscriptions created in that account. That person is also the default Service Administrator for the subscription.

Azure subscriptions help you organize access to Azure resources. They also help you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by office, department, project, and so on. Every service belongs to a subscription, and the subscription ID may be required for programmatic operations.

Accounts and subscriptions are managed in the Azure Account Center.

Azure RBAC roles

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources, such as compute and storage. Azure RBAC includes over 60 built-in roles. There are four fundamental RBAC roles. The first three apply to all resource types:

Azure RBAC role Permissions Notes
Owner
  • Full access to all resources
  • Delegate access to others
The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope
Applies to all resource types.
Contributor
  • Create and manage all of types of Azure resources
  • Cannot grant access to others
Applies to all resource types.
Reader
  • View Azure resources
Applies to all resource types.
User Access Administrator
  • Manage user access to Azure resources

The rest of the built-in roles allow management of specific Azure resources. For example, the Virtual Machine Contributor role allows the user to create and manage virtual machines. For a list of all the built-in roles, see Built-in roles.

Only the Azure portal and the Azure Resource Manager APIs support RBAC. Users, groups, and applications that are assigned RBAC roles cannot use the Azure classic deployment model APIs.

In the Azure portal, role assignments using RBAC appear on the Access control (IAM) blade. This blade can found throughout the portal, such as subscriptions, resource groups, and various resources.

Access control (IAM) blade in the Azure portal

When you click the Roles option, you will see the list of built-in and custom roles.

Built-in roles in the Azure portal

Azure AD administrator roles

Azure AD administrator roles are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. The following table describes a few of the more important Azure AD administrator roles.

Azure AD administrator role Permissions Notes
Global Administrator
  • Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory
  • Assign administrator roles to others
  • Reset the password for any user and all other administrators
The person who signs up for the Azure Active Directory tenant becomes a Global Administrator.
User Administrator
  • Create and manage all aspects of users and groups
  • Manage support tickets
  • Monitor service health
  • Change passwords for users, Helpdesk administrators, and other User Administrators
Billing Administrator
  • Make purchases
  • Manage subscriptions
  • Manage support tickets
  • Monitors service health

For a list of all the Azure AD administrator roles, see Assigning administrator roles in Azure Active Directory.

In the Azure portal, you can see the list of Azure AD administrator roles on the Roles and administrators blade.

Azure AD administrator roles in the Azure portal

Differences between Azure RBAC roles and Azure AD administrator roles

At a high level, Azure RBAC roles control permissions to manage Azure resources, while Azure AD administrator roles control permissions to manage Azure Active Directory resources. The following table compares some of the differences.

Azure RBAC roles Azure AD administrator roles
Manage access to Azure resources Manage access to Azure Active Directory resources
Supports custom roles Cannot create your own roles
Scope can be specified at multiple levels (management group, subscription, resource group, resource) Scope is at the tenant level
Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API Role information can be accessed in Azure admin portal, Office 365 admin portal, Microsoft Graph, AzureAD PowerShell

Do Azure RBAC roles and Azure AD administrator roles overlap?

By default, Azure RBAC roles and Azure AD administrator roles do not span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing the Global admin can manage Azure Subscriptions and Management Groups switch in the Azure portal, the Global Administrator will be granted the User Access Administrator role (an RBAC role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription. For more information, see Elevate access as an Azure AD administrator.

Several Azure AD administrator roles span Azure AD and Microsoft Office 365, such as the Global Administrator and User Administrator roles. For example, if you are a member of the Global Administrator role, you have global administrator capabilities in Azure AD and Office 365, such as making changes to Microsoft Exchange and Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources.

Azure RBAC versus Azure AD administrator roles

Next steps