Assigning administrator roles
Updated: February 27, 2014
Note
This topic provides online help content for cloud services, such as Windows Intune and Office 365, which rely on Windows Azure Active Directory for identity and directory services.
Depending on the size of your organization, you may want to designate several administrators who serve different functions to performing various tenant-related administrator tasks such as creating and editing users, managing billing operations, and resetting passwords. For more information about other tenant administrator tasks, see What are tenant administrator responsibilities?.
Warning
When you assign an admin role using any of the portals (or cmdlets), it is important you understand that this change will be tenant-wide, so assigning an admin role in one portal will grant the user the same permissions across all of the services that your organization has subscribed to. For more information about how your tenant works, see Administering your Windows Azure AD tenant.
The following admin roles can be assigned:
Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Note
If you did not purchase a Microsoft cloud service, you will not be able to make billing changes and therefore will not have the billing administrator role available to you. For billing issues, contact the administrator at the organization where you purchased your subscription.
Global administrator: Has access to all administrative features. By default, the person who signs up to purchase a Microsoft cloud service on behalf of your organization automatically becomes the first global administrator in your tenant. Only global administrators can assign other administrator roles. There can be more than one global administrator at your organization.
Tip
Using Windows Intune? Once this group is synchronized into Windows Intune it will appear as a Security Group criteria for Groups, however it will be called Company Administrators and not "Global Administrators".
Password administrator: Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.
Service administrator: Manages service requests and monitors service health.
Note
To assign the service administrator role to a user, the global administrator must first assign administrative permissions to the user in the service, such as Windows Intune, and then assign the service administrator role to that user.
User management administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, he or she cannot delete a global administrator or create other administrators. Also, he or she cannot reset passwords for billing, global, and service administrators.
What do you want to do?
View admin permissions by role
Assign an admin role for an existing user
Assign or remove admin permissions for multiple users
View admin permissions by role
The following table shows the administrator roles and their associated permissions.
Permission | Billing administrator | Global administrator | Password administrator | Service administrator | User management administrator |
---|---|---|---|---|---|
View organization and user information |
Yes |
Yes |
Yes |
Yes |
Yes |
Manage support tickets |
Yes |
Yes |
Yes |
Yes |
Yes |
Reset user passwords |
No |
Yes |
Yes |
No |
Yes; with limitations. He or she cannot reset passwords for billing, global, and service administrators. |
Perform billing and purchasing operations |
Yes |
Yes |
No |
No |
No |
Create and manage user views |
No |
Yes |
No |
No |
Yes |
Create, edit, and delete users and groups, and manage user licenses |
No |
Yes |
No |
No |
Yes; with limitations. He or she cannot delete a global administrator or create other administrators. |
Manage domains |
No |
Yes |
No |
No |
No |
Manage organization information |
No |
Yes |
No |
No |
No |
Delegate administrative roles to others |
No |
Yes |
No |
No |
No |
Use directory synchronization |
No |
Yes |
No |
No |
No |
Tip
Using Office 365? For information about administrator roles and permissions specific to Microsoft Office 365, see the wiki article Permissions in Office 365 FAQ or Understanding Role Based Access Control.
Assign an admin role for an existing user
Use the following steps to assign or remove administrator permissions for an existing user.
Note
Administrators who forget their passwords can use the password self-reset process to regain access to their accounts. To use this feature, both a mobile phone number that can receive a text message and an alternate email address that is not tied to the cloud service subscription must be included with an administrator’s information.
To assign or remove an admin role using the Windows Azure Management Portal
In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.
On the Users page, click the display name of the user you want to edit.
Select the Organizational Role drop-down menu, and then select User to remove an existing admin role or Global Administrator to assign an admin role. If you select Global Administrator, provide additional information as explained in the next two steps.
Note
For the Spring 2013 release of Windows Azure, you can only select the Global Administrator admin role. This will be updated to support additional admin roles in the future.
In the Alternate email address box, type an email address. This email address is used for important notifications, including password self-reset, so the user must be able to access the email account whether or not the user can access the cloud service.
When you have finished, click Save.
The following steps can be completed using either the Office 365 account portal, the Windows Intune account portal or the Windows Azure AD portal, depending on which services your organization has subscribed to. In this way, portals act as front-end interfaces that pull in directory data associated with your organizations Windows Azure AD tenant. For more information about using portals to manage your tenant, see Administering your Windows Azure AD tenant.
To assign or remove an admin role using a different portal
Depending on which portal you are using, in the left pane, click either Users or Users and Groups.
Depending on which portal you are using, select the check box next to the name of the user whose administrator role you want to change, and then click either Edit or the icon.
Click Settings, under Assign role, select No to remove administrator permissions or Yes to grant administrator permissions. If you select Yes, select the appropriate role from the list, and then provide additional information on the Settings tab and on the Details tab as explained in the next two steps.
In the Alternate email address box, type an email address that is not connected to the cloud service. This email address is used for important notifications, including password self-reset, so the user must be able to access the email account whether or not the user can access the cloud service.
Click the Details tab. Click the arrow next to Additional details, and in the Mobile phone box, type the number of a mobile phone—including the country code—that can receive a text (SMS) message, if the user has one. This phone number is also used in the password self-reset process.
When you have finished, click Save.
Note
For partner companies that are certified to provide delegated administration, additional features are available. In addition to setting administrative access for your own organization, you can also set administrative access for companies you support. There are two types of administrative access that can be assigned to your support agents:
- Full administration: this role has privileges equivalent to those for the global administrator role.
- Limited administration: this role has privileges equivalent to those for the password administrator role.
Assign or remove admin permissions for multiple users
Use the following steps to assign or remove permissions for multiple existing users.
Note
You cannot assign administrator permissions during the process of adding multiple users using bulk import.
Depending on which portal you are using, in the left pane, click either Users or Users and Groups.
Depending on which portal you are using, select the check box next to the names of the users that you want to assign administrator permissions to or remove administrator permissions from, and then click either Edit or the icon.
On the Details page, click Next.
On the Settings page, under Assign role, select No to remove permissions or Yes to grant permissions. If you select Yes, select the appropriate role from the list. When you have finished, click Next.
On the Assign licenses page, click Submit.
On the Results page, review your results. When you have completed your review, click Finish.