Azure classic subscription administrators
Important
Classic resources and classic administrators will be retired on August 31, 2024. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you are still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator. For more information, see Azure Resource Manager vs. classic deployment.
This article describes how to add or change the Co-Administrator and Service Administrator roles, and how to view the Account Administrator.
Add a Co-Administrator
Tip
You only need to add a Co-Administrator if the user needs to manage Azure classic deployments by using Azure Service Management PowerShell Module. If the user only uses the Azure portal to manage the classic resources, you won’t need to add the classic administrator for the user.
Sign in to the Azure portal as the Service Administrator or a Co-Administrator.
Open Subscriptions and select a subscription.
Co-Administrators can only be assigned at the subscription scope.
Click Access control (IAM).
Click the Classic administrators tab.
Click Add > Add co-administrator to open the Add co-administrators pane.
If the Add co-administrator option is disabled, you do not have permissions.
Select the user that you want to add and click Add.
Add a guest user as a Co-Administrator
To add a guest user as a Co-Administrator, follow the same steps as in the previous Add a Co-Administrator section. The guest user must meet the following criteria:
- The guest user must have a presence in your directory. This means that the user was invited to your directory and accepted the invite.
For more information, about how to add a guest user to your directory, see Add Azure Active Directory B2B collaboration users in the Azure portal.
Before you remove a guest user from your directory, you should first remove any role assignments for that guest user. For more information, see Remove a guest user from your directory.
Differences for guest users
Guest users that have been assigned the Co-Administrator role might see some differences as compared to member users with the Co-Administrator role. Consider the following scenario:
- User A with an Azure AD account (work or school account) is the Service Administrator for an Azure subscription.
- User B has a Microsoft account.
- User A assigns the Co-Administrator role to user B.
- User B can do almost everything, but is unable to register applications or look up users in the Azure AD directory.
You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Azure AD as compared to member users. For example, member users can read other users in Azure AD and guest users cannot. Member users can register new service principals in Azure AD and guest users cannot.
If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD roles the guest user needs. For example, in the previous scenario, you could assign the Directory Readers role to read other users and assign the Application Developer role to be able to create service principals. For more information about member and guest users and their permissions, see What are the default user permissions in Azure Active Directory?. For more information about granting access for guest users, see Assign Azure roles to external guest users using the Azure portal.
Note that the Azure built-in roles are different than the Azure AD roles. The built-in roles don't grant any access to Azure AD. For more information, see Understand the different roles.
For information that compares member users and guest users, see What are the default user permissions in Azure Active Directory?.
Remove a Co-Administrator
Sign in to the Azure portal as the Service Administrator or a Co-Administrator.
Open Subscriptions and select a subscription.
Click Access control (IAM).
Click the Classic administrators tab.
Add a check mark next to the Co-Administrator you want to remove.
Click Remove.
In the message box that appears, click Yes.
Change the Service Administrator
Only the Account Administrator can change the Service Administrator for a subscription. By default, when you sign up for an Azure subscription, the Service Administrator is the same as the Account Administrator.
The user with the Account Administrator role can access the Azure portal and manage billing, but they can't cancel subscriptions. The user with the Service Administrator role has full access to the Azure portal and they can cancel subscriptions. The Account Administrator can make themself the Service Administrator.
Follow these steps to change the Service Administrator in the Azure portal.
Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
Sign in to the Azure portal as the Account Administrator.
Open Cost Management + Billing and select a subscription.
In the left navigation, click Properties.
Click Change service admin.
In the Edit service admin page, enter the email address for the new Service Administrator.
Click OK to save the change.
Limitations for changing the Service Administrator
There can only be one Service Administrator per Azure subscription. Changing the Service Administrator will behave differently depending on whether the Account Administrator is a Microsoft account or whether it is an Azure AD account (work or school account).
| Account Administrator account | Can change the Service Administrator to a different Microsoft account? | Can change the Service Administrator to an Azure AD account in the same directory? | Can change the Service Administrator to an Azure AD account in a different directory? |
|---|---|---|---|
| Microsoft account | Yes | No | No |
| Azure AD account | Yes | Yes | No |
If the Account Administrator is an Azure AD account, you can change the Service Administrator to an Azure AD account in the same directory, but not in a different directory. For example, abby@contoso.com can change the Service Administrator to bob@contoso.com, but cannot change the Service Administrator to john@notcontoso.com unless john@notcontoso.com has a presence in the contoso.com directory.
For more information about Microsoft accounts and Azure AD accounts, see What is Azure Active Directory?.
Remove the Service Administrator
You might want to remove the Service Administrator, for example, if they are no longer with the company. If you do remove the Service Administrator, you must have a user who is assigned the Owner role at subscription scope to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.
Sign in to the Azure portal as a subscription Owner or a Co-Administrator.
Open Subscriptions and select a subscription.
Click Access control (IAM).
Click the Classic administrators tab.
Add a check mark next to the Service Administrator.
Click Remove.
In the message box that appears, click Yes.
View the Account Administrator
The Account Administrator is the user that initially signed up for the Azure subscription, and is responsible as the billing owner of the subscription. To change the Account Administrator of a subscription, see Transfer ownership of an Azure subscription to another account.
Follow these steps to view the Account Administrator.
Sign in to the Azure portal.
Open Cost Management + Billing and select a subscription.
In the left navigation, click Properties.
The Account Administrator of the subscription is displayed in the Account Admin box.
Next steps
Feedback
Submit and view feedback for