Share via

Questions wrt mail with subject "Transition to role-based access control (RBAC) in Azure by 31 August 2024"

Hessel Wellema 201 Reputation points
2024-04-02T09:15:03.9233333+00:00

I received an email about classis administrator roles starting with:

On 31 August 2024, Azure classic administrator roles will be retired. If your organization has active Co-Administrator or Service Admin roles, you'll need to transition to using Azure RBAC roles by then. (All Azure classic resources and Azure Service Manager will also be retired on that date.)

I only have one user in the portal that I use to login and create and manage resourcesm download my bills etcetera.

I am confused about its status and what I need to do. I dont want my acces blocked because my customer rely on the services I build for them

In subscription, Overview it states my role is Owner
In subscription, IAM, View my access. It states I only have a Classic Administrator Role: Service Administrator

The document https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#prepare-for-co-administrators-retirement states that te Service Administrator role will be removed and I need to assign the Owner Role.

My question: how do I know for certrain that I have the owner role assigned to my account?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
689 questions
0 comments
Accepted answer
  1. TP 79,246 Reputation points
    2024-04-02T09:53:29.5533333+00:00

    Hi,

    In your Subscription -- Access control (IAM) blade, please click add role assignment -- click Privileged administrator roles tab, select Owner role, Next, select your account, Next, select Allow user to assign all roles (highly privileged), Next, Review + assign.

    After making above assignment, double-check using View my access button to make sure it shows Owner role. I would leave Service Administrator in place and allow Azure to remove automatically later.

    Another thing to consider is creating a separate break glass/emergency account that has been assigned Owner role to the subscription, Global Admin in Entra ID, plus in Cost Management and Billing -- Access control (IAM) assign it Owner to the billing account(s).

    Preferable to have this account not subject to any kind of MFA, super-long password, excluded from any Conditional Access, and keep username/password for it in a safe or similar location.

    The idea is if lose access via your main account (e.g. something happens to your phone and you can't respond to MFA using Authenticator) you have a way to restore access.

    Article below provides more details on break glass/emergency access account I described above:

    Manage emergency access accounts in Microsoft Entra ID

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

    Please click Accept Answer and upvote if the above was helpful. If something is unclear let me know in a comment.

    Thanks.

    -TP

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest