新增或變更 Azure 訂用帳戶系統管理員Add or change Azure subscription administrators

若要管理對 Azure 資源的存取,您必須具有適當的系統管理員角色。To manage access to Azure resources, you must have the appropriate administrator role. 本文說明如何在訂用帳戶層級新增或變更使用者的系統管理員角色。This article describes how to add or change the administrator role for a user at the subscription level.

我使用何種系統管理員角色?What administrator role do I use?

Azure 有數個不同的角色。Azure has several different roles. 若要管理對資源的存取,您可以使用傳統訂用帳戶系統管理員角色 (例如服務管理員和共同管理員),或使用名為角色型存取控制 (RBAC) 的新式授權系統。To manage access to resources, you can use the classic subscription administrator roles, such as Service administrator and Co-administrator, or a newer authorization system called role-based access control (RBAC). 為了確保能更容易控制,以及簡化存取管理,建議您所有存取管理需求都使用 RBAC。To ensure better control and to simplify access management, we recommend that you use RBAC for all access management needs. 可能的話,建議您使用 RBAC 重新設定現有的存取原則。If possible, we recommend that you reconfigure existing access policies using RBAC. 如需詳細資訊,請參閱什麼是角色型存取控制 (RBAC)了解 Azure 中的不同角色For more information, see What is role-based access control (RBAC) and Understand the different roles in Azure.

在 Azure 入口網站中新增訂用帳戶的 RBAC 擁有者Add an RBAC Owner for a subscription in Azure portal

若要將某人新增為 Azure 訂用帳戶的管理員,請在訂用帳戶範圍為其指派擁有者角色 (RBAC 角色)。To add someone as an administrator for an Azure subscription, assign them the Owner role (an RBAC role) at the subscription scope. 擁有者角色可以管理您指派之訂用帳戶中的資源,但沒有其他訂用帳戶的存取權限。The Owner role can manage the resources in the subscription that you assigned and doesn't have access privilege to other subscriptions.

  1. 請造訪 Azure 入口網站中的訂用帳戶Visit Subscriptions in Azure portal.
  2. 選取您要授與存取權的訂用帳戶。Select the subscription that you want to give access.
  3. 在清單中選取 [存取控制 (IAM)]。Select Access control (IAM) in the list.
  4. 選取 [新增角色指派]。Select Add role assignment. (如果沒有 [新增角色指派] 按鈕,表示您沒有權限新增權限。)(If the Add role assignment button is missing, you do not have permission to add permissions.)
  5. 在 [角色] 方塊中,選取 [擁有者]。In the Role box, select Owner.
  6. 在 [存取權指派對象為] 方塊中,選取 [Azure AD 使用者、群組或服務主體]。In the Assign access to box, select Azure AD user, group, or service principal.
  7. 在 [選取] 方塊中,輸入要新增為擁有者的使用者電子郵件地址。In the Select box, type the email address of the user you want to add as Owner. 選取使用者,然後選取 [儲存]。Select the user, and then select Save.

    顯示已選取 [擁有者] 角色的螢幕擷取畫面

這可授與使用者所有資源的完整存取權,包括將存取權委派給其他人的權限。This gives the user full access to all resources including the right to delegate access to others. 若要授與不同範圍 (例如資源群組) 的存取權,請瀏覽該範圍的 [存取控制 (IAM)] 刀鋒視窗。To give access at a different scope, like a resource group, visit the Access control (IAM) blade for that scope.

新增或變更共同管理員Add or change Co-administrator

只有擁有者才可新增為共同管理員。Only an Owner can be added as a Co-administrator. 具有參與者讀者等角色的其他使用者無法新增為共同管理員。Other users with roles such as Contributor and Reader cannot be added as Co-administrators.

提示

如果使用者需要管理 Azure 傳統部署,請將「擁有者」新增為共同管理員即可。You only need to add the Owner as a Co-administrator if the user needs to manage Azure classic deployments. 建議您所有其他用途都使用 RBAC。We recommend using RBAC for all other purposes.

  1. 如果您尚未新增,請遵循上述指示將某人新增為擁有者。If you haven't already, add someone as an Owner following instructions from above.
  2. 以滑鼠右鍵按一下您剛才新增的「擁有者」使用者,然後選取 [新增為共同管理員]。Right-click the Owner user you just added, and then select Add as co-administrator. 如果您沒有看到 [新增為共同管理員] 選項,請重新整理頁面或嘗試使用其他網際網路瀏覽器。If you do not see the Add as co-administrator option, refresh the page or try another Internet browser.

    新增共同管理員的螢幕擷取畫面

    若要移除共同管理員權限,請以滑鼠右鍵按一下「共同管理員」使用者,然後選取 [移除共同管理員]。To remove the Co-administrator permission, right-click the Co-administrator user and then select Remove co-administrator.

    移除共同管理員的螢幕擷取畫面

將來賓使用者新增為共同管理員Adding a guest user as a Co-administrator

獲指派「共同管理員」角色的來賓使用者可能會發現與具備「共同管理員」角色的成員使用者相比有些差異。Guest users that have been assigned the Co-administrator role might see some differences as compared to member users with the Co-administrator role. 請考慮下列狀況:Consider the following scenario:

  • 具有 Azure AD 公司或學校帳戶的使用者 A 是 Azure 訂用帳戶的服務管理員。User A with an Azure AD Work or School account is a Service administrator for an Azure subscription.
  • 使用者 B 具有 Microsoft 帳戶。User B has a Microsoft account.
  • 使用者 A 將「共同管理員」角色指派給使用者 B。User A assigns the Co-administrator role to user B.
  • 使用者 B 可以執行幾乎所有操作,但無法在 Azure AD 目錄中註冊應用程式或查閱使用者。User B can do almost everything, but is unable to register applications or look up users in the Azure AD directory.

您會預期使用者可以管理所有項目。You would expect that user B could manage everything. 此差異的原因在於 Microsoft 帳戶是以來賓使用者而不是成員使用者身分新增至訂用帳戶。The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. 在 Azure AD 中,來賓使用者與成員使用者具有不同的預設權限。Guest users have different default permissions in Azure AD as compared to member users. 例如,成員使用者能夠在 Azure AD 中讀取其他使用者,來賓使用者不能。For example, member users can read other users in Azure AD and guest users cannot. 成員使用者能夠在 Azure AD 中註冊新的服務主體,來賓使用者不能。Member users can register new service principals in Azure AD and guest users cannot. 如果來賓使用者需要能夠執行這些工作,有一個可能的解決方案,就是指派來賓使用者所需的特定 Azure AD 系統管理員角色。If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD administrator roles the guest user needs. 例如,在先前的案例中,您可以指派目錄讀者角色以讀取其他使用者,以及指派應用程式開發人員角色,以便能夠建立服務主體。For example, in the previous scenario, you could assign the Directory Readers role to read other users and assign the Application Developer role to be able to create service principals. 如需有關成員使用者和來賓使用者及其權限的詳細資訊,請參閱 Azure Active Directory 中的預設使用者權限是什麼?For more information about member and guest users and their permissions, see What are the default user permissions in Azure Active Directory?.

請注意,適用於 Azure 資源的內建角色Azure AD 系統管理員角色不同。Note that the built-in roles for Azure resources are different than the Azure AD administrator roles. 內建的角色不會授與任何 Azure AD 存取權。The built-in roles don't grant any access to Azure AD. 如需詳細資訊,請參閱了解各種不同角色For more information, see Understand the different roles.

變更 Azure 訂用帳戶的服務管理員Change the Service administrator for an Azure subscription

只有帳戶管理員可以變更訂用帳戶的服務管理員。Only the Account administrator can change the Service administrator for a subscription. 根據預設,註冊時系統會將服務管理員與帳戶管理員設為同一人。By default, when you sign up, the Service administrator is the same as the Account administrator. 如果服務管理員變更為不同的使用者,帳戶管理員就會失去 Azure 入口網站的存取權。If the Service administrator is changed to a different user, then the Account administrator loses access to Azure portal. 不過,帳戶管理員可隨時使用帳戶中心,將自己變更回服務管理員。However, the Account administrator can always use Account Center to change the Service administrator back to themselves.

  1. 請參閱變更服務管理員的限制,確定您的情況是否受支援。Make sure your scenario is supported by checking the limits for changing Service administrators.
  2. 以帳戶管理員身分登入帳戶中心Sign in to Account Center as the Account administrator.
  3. 選取一個訂用帳戶。Select a subscription.
  4. 選取右側的 [編輯訂用帳戶詳細資料]。On the right side, select Edit subscription details.

    顯示帳戶中心裡 [編輯訂用帳戶] 按鈕的螢幕擷取畫面

  5. 在 [服務管理員] 方塊中,輸入新服務管理員的電子郵件地址。In the SERVICE ADMINISTRATOR box, enter the email address of the new Service administrator.

    顯示應變更服務管理員電子郵件之方塊的螢幕擷取畫面

變更服務管理員的限制Limitations for changing Service administrators

  • 每個訂用帳戶都與 Azure AD 目錄相關聯。Each subscription is associated with an Azure AD directory. 若要尋找與訂用帳戶相關聯的目錄,請前往訂用帳戶,然後選取訂用帳戶以查看目錄。To find the directory the subscription is associated with, go to Subscriptions, then select a subscription to see the directory.
  • 如果您以公司或學校帳戶登入,可以將組織中的其他帳戶新增為服務管理員。If you are signed in with a Work or School account, you can add other accounts in your organization as Service administrator. 例如,abby@contoso.com 可以將 bob@contoso.com 新增為服務管理員,但若想新增 john@notcontoso.com 為服務管理員,則 contoso.com 目錄中必須要有 john@notcontoso.com 才能這麼做。For example, abby@contoso.com can add bob@contoso.com as Service administrator, but can't add john@notcontoso.com unless john@notcontoso.com has presence in the contoso.com directory. 以公司或學校帳戶登入的使用者可以繼續將 Microsoft 帳戶使用者新增為服務管理員。Users signed in with Work or School accounts can continue to add Microsoft Account users as Service administrator.

    登入方法Sign-in Method 要將 Microsoft 帳戶使用者新增為服務管理員嗎?Add Microsoft Account user as a Service administrator? 要將同一組織中的公司或學校帳戶新增為服務管理員嗎?Add Work or School account in the same organization as a Service administrator? 要將不同組織中的公司或學校帳戶新增為服務管理員嗎?Add Work or School account in different organization as a Service administrator?
    Microsoft 帳戶Microsoft Account Yes No No
    公司或學校帳戶Work or School Account Yes Yes No

變更 Azure 訂用帳戶的帳戶管理員Change the Account administrator for an Azure subscription

帳戶管理員就是一開始註冊 Azure 訂用帳戶的使用者,也是負責訂用帳戶的計費擁有者。The Account administrator is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription. 若要變更訂用帳戶的帳戶管理員,請參閱將 Azure 訂用帳戶的擁有權轉移給另一個帳戶To change the Account administrator of a subscription, see Transfer ownership of an Azure subscription to another account.

不確定帳戶管理員是誰嗎?Not sure who the Account administrator is? 請遵循下列步驟:Follow these steps:

  1. 請造訪 Azure 入口網站中的訂用帳戶Visit Subscriptions in Azure portal.
  2. 選取您想要檢查的訂用帳戶,然後查看 [設定]。Select the subscription you want to check, and then look under Settings.
  3. 選取 [屬性] 。Select Properties. 該訂用帳戶的帳戶管理員會顯示在 [帳戶管理員] 方塊中。The Account administrator of the subscription is displayed in the Account Admin box.

深入了解資源存取控制和 Active DirectoryLearn more about resource access control and Active Directory

需要協助嗎?Need help? 與我們連絡。Contact us.

如果您有問題或需要協助,請建立支援要求If you have questions or need help, create a support request.