Assigning administrator roles in Azure AD
Updated: August 31, 2015
Applies To: Azure
Important
Please bear with us as we migrate this and other content to the Microsoft Azure website. This topic is no longer being updated and might become out of date. Please bookmark the updated Azure article on this subject, Assigning administrator roles in Azure AD.
When you assign an admin role using any of the portals (or cmdlets), it is important you understand that this change will be tenant-wide, so assigning an admin role in one portal will grant the user the same permissions across all of the services that your organization has subscribed to. For more information about how your tenant works, see Administering your Azure AD tenant.
Depending on the size of your company, you may want to designate several administrators who serve different functions. These administrators will have access to various features in the Azure Management Portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains, among other things.
The following administrator roles are available:
Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
Note
The billing administrator role does not allow the designated user to manage Azure subscriptions or billing. Only the account administrator for the Azure subscription can do this. For more information, see What are the different Azure administrative roles, and what can each one do?.
Global administrator: Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.
Password administrator: Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.
Service administrator: Manages service requests and monitors service health.
Note
To assign the service administrator role to a user, the global administrator must first assign administrative permissions to the user in the service, such as Exchange Online, and then assign the service administrator role to the user in the Azure Management Portal.
User administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.
What are you interested in?
Administrator permissions by role
Details about the global administrator role
Assign or remove administrator roles for an existing user
Assign or remove administrator roles for multiple users
Administrator permissions by role
The following table shows the administrator roles and their associated permissions.
Permission |
Billing administrator |
Global administrator |
Password administrator |
Service administrator |
User administrator |
View company and user information |
Yes |
Yes |
Yes |
Yes |
Yes |
Manage Office support tickets |
Yes |
Yes |
Yes |
Yes |
Yes |
Reset user passwords |
No |
Yes |
Yes |
No |
Yes; with limitations. He or she cannot reset passwords for billing, global, and service administrators. |
Perform billing and purchasing operations for Office products |
Yes |
Yes |
No |
No |
No |
Create and manage user views |
No |
Yes |
No |
No |
Yes |
Create, edit, and delete users and groups, and manage user licenses |
No |
Yes |
No |
No |
Yes; with limitations. He or she cannot delete a global administrator or create other administrators. |
Manage domains |
No |
Yes |
No |
No |
No |
Manage company information |
No |
Yes |
No |
No |
No |
Delegate administrative roles to others |
No |
Yes |
No |
No |
No |
Use directory synchronization |
No |
Yes |
No |
No |
No |
Details about the global administrator role
The global administrator has access to all administrative features. By default, the person who signs up for an Azure account on behalf of your organization automatically becomes the first global administrator in your tenant. Only global administrators can assign other administrator roles. There can be more than one global administrator at your organization. A global administrator has the following permissions in the directory:
View organization and user information
Manage Office support tickets
Reset user passwords
Perform billing and purchasing operations for Office products
Create and manage user views
Create, edit, and delete users and groups, and manage user licenses
Manage domains
Manage organization information
Delegate administrative roles to others
Use directory synchronization
Assign or remove administrator roles for an existing user
Use the following steps to assign or remove administrator roles for an existing user.
Note
Administrators who forget their passwords can use the password self-reset process to regain access to their accounts. To use this feature, both a mobile phone number that can receive a text message and an alternate email address that is not tied to your Azure subscription must be included with an administrator’s information.
To assign or remove an administrator role using the Azure Management Portal
In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.
On the Users page, click the display name of the user you want to edit.
Select the Organizational Role drop-down menu, and then select the administrator role that you want to assign to this user, or select User if you want to remove an existing administrator role.
In the Alternate Email Address box, type an email address. This email address is used for important notifications, including password self-reset, so the user must be able to access the email account whether or not the user can access Azure.
Select Allow or Block to specify whether to allow the user to sign in and access services.
Specify a location from the Usage Location drop-down list.
When you have finished, click Save.
See Also
Reference
What are tenant administrator responsibilities?