How To Assign Administrator Permissions in Microsoft Azure

In this blog post, I will show you how to assign administrative permission in Microsoft Azure the right way without giving to much access to your tenant.

Before we go over the steps of actually giving permissions to another administrator there are a few things you need to understand about Azure permissions.

By default, the person that creates the Microsoft Azure account or in Azure terminology the tenant is considered the superuser also knows as the Account Administrator.

Classic Administrators

The Azure Account Administrator is the most powerful user in Azure and therefore you can only have one per tenant.

The 2nd and 3rd most powerful users in Azure are the Service Administrator and the Co-Administrator account.

The following three accounts are also called Classic administrators:

  • Account Administrator
  • Service Administrator
  • Co-Administrator

It is strongly recommended and considered best practices not to use the above account or assign them to users, the proper way to assign permissions in Azure is using Role-Based access control (RBAC).

RBAC

Using RBAC to assign permissions in Azure is the recommended way of working and giving users permissions because RBAC permissions are based on the users’ role.

For example, users that need to manage virtual machines should get the RBAC role of VMs Administrators.

Azure offer around 80 built-in RBAC roles and we have the ability to create custom roles if needed.

Add a Classic Administrator

To add a classic Administrator to Azure follow the steps below.

From the portal, click on Subscriptions

Click on Access control (IAM)

From the Access control (IAM) page, click on Add and click on Add co-administrator and follow the steps to assign a Co-Administrator.

Add an Administrator using RBAC

To add a Global Administrator to Azure using RBAC, which will have full administrative permissions on the subscription level follow the steps below:

From the portal, click on Subscriptions

Click on Access control (IAM)

From the IAM page-top menu, click on Add 

Select Add-Role assignment.

From the Role assignment, select Owner leaves the default selection in the Assign access to dropbox.

Select the user you would like to make Administrator.

 

 

 

 

 

At this stage, the selected user will become an Owner of the subscription and receive full access to all resources in Azure with the ability to delegate control and access to other users within the subscription only.

Check Current Account and Service Administrators

To check which email address is associated with the Account and Service Administrators in Azure.

From the Azure subscription page, scroll down to the Properties blade and click on it.

In the page, you will see the email address of the user.


Posted

in

by