Updated: June 19, 2015
Applies To: Azure
In Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS), portal administrators are users who have access rights to the ACS Management Portal for a specific Access Control namespace. When you create an Access Control namespace in the Azure Management Portal (for more information, see How to: Create an Access Control Namespace), automatically creates default portal administrator accounts for the subscription’s service administrator and co-administrators and adds Windows Live ID (Microsoft account) as a default identity provider. The portal administrators can delegate administrative access for particular Access Control namespaces to other users. To create a portal administrator for a namespace, use the Portal Administrators section of the ACS Management Portal. Within the designated namespace, these new portal administrators have the same level of access rights as the original (default) portal administrator.
Portal administrators for a Access Control namespace can log into the management portal for that particular Access Control namespace by using a federated user account, such as a Windows Live ID (Microsoft account) account. Portal administrators have permission to add, delete, and change all configuration settings for the namespace, including other portal administrator accounts and management service credentials.
Portal administrators for Access Control namespace can access only their designated namespace. They do not have permission to create or manage other Access Control namespaces.
Adding Additional Portal Administrators
The ACS Management Portal uses federated identities, that is, administrative accounts are hosted by identity providers, not by Access Control namespaces. To promote a user to be an ACS portal administrator, the identity provider that hosts the user account must be added and configured in the Access Control namespace.
If a user account of a new portal administrator is hosted by an identity provider other than Windows Live ID (Microsoft account), you need to add the identity provider to the Access Control namespace. For more information, see How to: Add Portal Administrators.
When you add a portal administrator, you are redirected to the Portal Administrators page. The page display includes a URL to access the management portal for this namespace. You can provide this URL to the new portal administrators and they can use it to open the ACS Management Portal for this namespace. This URL cannot be used to access the Azure Management Portal or to manage other Access Control namespaces.
Deleting Portal Administrators
When you delete the portal administrator for a Access Control namespace, you revoke the administrator's access to the namespace.
To delete a portal administrator:
In the ACS Management Portal, click Portal administrators.
Check the box beside a portal administrator account and then click Delete.
When you delete a portal administrator, the management service key, which can be used to manage the portal, is not changed. ACS does not programmatically update the management service key when a portal administrator is removed, because doing so might interrupt access to solutions in production that use the management service keys.
When you delete a portal administrator account, consider updating the management service key for the Access Control namespace.
To generate a new management service key:
In the ACS Management Portal, click Management service.
Select a management service account, such as ManagementClient, and then click Symmetric Key.
Delete the value in the Key field, click Generate, and then click Save.
To add, delete, and change management keys programmatically, use the ACS Management Service. The Code Sample: Management Service sample includes methods for adding, deleting, and updating management service keys.