I’ve worked with many Azure customers. One of the first steps to helping a new customer with Azure is getting them to add me as a Co-Admin to their Azure subscription. While this isn’t difficult, searching for it on Google leads to a list of outdated or just wrong steps.
The Azure portal continues to change and get better as I write, so this too may be out of date at some point, but since it’s a common use case, I’ll try and keep this post updated with the latest.
Account Administrator, Service Administrator, and Co-administrator are the three kinds of administrator roles in Microsoft Azure. The following table describes the difference between these three administrative roles.
|Account Administrator (AA)
||1 per Azure account
||This is the person who signed up for or bought Azure subscriptions, and is authorized to access the Account Center and perform various management tasks. These include being able to create subscriptions, cancel subscriptions, change the billing for a subscription, and change the Service Administrator.
|Service Administrator (SA)
||1 per Azure subscription
||This role is authorized to manage services in the Azure portal. By default, for a new subscription, the Account Administrator is also the Service Administrator.
|Co-administrator (CA) in the Azure classic portal
||200 per subscription
||This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories.
First, you need your own Azure subscription. You can signup and create one here: https://azure.microsoft.com/en-us/free/ Once created, or if you already have a subscription go to the next step.
Azure currently has 2 management portals:
New portal – http://portal.azure.com
Classic portal – http://manage.windowsazure.com
Using the New Portal:
Find the “Subscriptions” Key icon in the list:
Choose the subscription and the Access control (IAM)
Next select “Subscription admins”
Now select the “Manage” link at the top, this will launch the classic portal:
Using the Classic Portal:
To Add a Subscription Co-Admin using the class portal:
Navigate to the Classic Portal, then click on Subscriptions at the top of the screen:
Click “Mange Administrators”
Next Click Add on the toolbar at the bottom.
Finally, add the user’s Microsoft account or corporate identity:
This user is now a Co-Admin of your Azure Subscription. Removing a user is just as easily done.
Co-Admin’s have full permission for modifying, deleting and creating resources in your subscription. They cannot see your billing information or charges.
Some things to keep in mind:
User can login to Microsoft Azure classic portal using two methods: individuals can log in using a Microsoft Account, and organizational employees can log in using an organizational account. This article describes changes to the Service Administrator and Co-Administrator functionality if you login with either method.
As a review, here’s a brief description of Service Administrator and Co-Administrator functionality:
- The Service Administrator is a property of each Azure subscription, and it represents a person who can login to the Developer Portal and develop against a subscription (e.g. deploy to it or create new resources). Typically, an Account Administrator purchases an Azure subscription, makes his or her developer the Service Administrator and now the developer can login to the Developer Portal. A Service Administrator cannot see the subscription’s billing details in the Billing Portal. The Service Administrator can only be changed in the Billing Portal.
- A Co-Administrator is very similar to the Service Administrator, with a small difference – they are added from within the Developer Portal and there can be multiple Co-Administrators for a subscription but only one Service Administrator. Similar to the Service Administrator, a Co-Administrator cannot see billing details.
Here are the changes to Service Administrator and Co-Administrator functionality, with the introduction of the ability to login to Azure with an organizational account:
||ADD MICROSOFT ACCOUNT AS CO-ADMINISTRATOR OR SERVICE ADMINISTRATOR?
||ADD ORGANIZATIONAL ACCOUNT IN THE SAME ORGANIZATION AS CO-ADMINISTRATOR OR SERVICE ADMINISTRATOR?
||ADD ORGANIZATIONAL ACCOUNT IN DIFFERENT ORGANIZATION AS CO-ADMINISTRATOR OR SERVICE ADMINISTRATOR?
- If you are logged in with a Microsoft Account, you can only add other Microsoft Accounts as Service Administrator or Co-Administrator. This is a security consideration to prevent non-organizational accounts from discovering if certain accounts (e.g. email@example.com) are valid accounts.
- If you are logged in with an organizational account, you can add other organizational accounts in your organization as Service Administrator or Co-Administrator. For example, firstname.lastname@example.org can add email@example.com as Service Administrator or Co-Administrator, but cannot add firstname.lastname@example.org. Users logged in with organizational accounts can continue to add Microsoft Account users as Service Administrator or Co-Administrator.
Keep a tab on access settings of your Azure subscriptions
Audit Logs for Azure Events