How to Change Account Admin in Azure Subscription for Better Management

As you navigate the world of Azure subscriptions, you'll eventually need to change the account admin to ensure better management and control. This is a crucial step in maintaining the security and integrity of your subscription.

To change the account admin, you'll need to identify the current admin and their role within the subscription. This is typically done by accessing the Azure portal and navigating to the "Subscriptions" section.

The current admin's role is usually set to "Owner" by default, which grants them full control over the subscription. However, you can change this role to "Contributor" or "Reader" to limit their access.

To make changes, you'll need to select the current admin's account and click on the "Role" dropdown menu. From there, you can select the new role and save your changes.

To change the account admin in an Azure subscription, you'll need to meet some basic prerequisites.

You must have Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator or User Access Administrator.

To get started, sign in to the Azure portal.

You'll then need to search for subscriptions in the Search box at the top.

Click the subscription you want to use, which will be displayed as an example.

Assigning an admin role in Azure is a straightforward process. You'll need to assign the Owner role to the user you want to make an administrator of the subscription.

To make a user an administrator, you'll need to assign them the Owner role at the subscription scope. This can be done by an existing billing administrator. The Owner role gives the user full access to all resources in the subscription.

To find out who the account billing administrator is for a subscription, follow these steps:

You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.

To assign the Owner role, follow these steps:

After a few moments, the user is assigned the Owner role for the subscription.

It's worth noting that the new Roles and Administrators experience in the Azure AD blade includes improvements in both the UI and documentation. This makes it easier to assign roles and view permissions.

To assign a role to a user, follow these steps:

Remember to review the role assignment settings and click Review + assign to assign the role.

The Azure RBAC model was introduced in 2015 as part of the rebranding to Microsoft Azure. This model replaced the Classic Administrators model and provided more granular access control over Azure resources.

Azure RBAC allows organizations to assign roles with specific permissions to users, groups, and applications within their environment. This model also enabled the creation of custom roles with finely-tuned permissions, which is the birth of what we now know as least-privileged.

The Azure RBAC model encourages users to migrate their access control configurations to the new model, away from the classic administrator model.

The Azure RBAC Model was introduced in 2015 as part of the rebranding to Microsoft Azure. This model replaced the Classic Administrators model, providing more granular access control over Azure resources.

With Azure RBAC, organizations can assign roles with specific permissions to users, groups, and applications within their environment. This allows for more precise control over access to resources.

Azure RBAC also enabled the creation of custom roles with finely-tuned permissions, a concept known as least-privileged. This was a significant improvement over the Classic Administrators model.

Microsoft encouraged users to migrate their access control configurations to the new Azure RBAC model, away from the classic administrator model.

The Classic Administrator Roles in Azure have been a significant challenge in Azure security. Despite their broad permissions, these roles often go unnoticed.

In the early days of Azure, around 2010, the Classic Administrators model was introduced, providing basic role-based access control capabilities. This model consisted of predefined roles, such as Service Administrator, Account Administrator, and Co-Administrator.

These roles granted varying levels of permissions within an Azure subscription, but users were limited to the predefined roles and couldn't create custom roles tailored to their specific needs. This lack of flexibility and granularity made the Classic Administrators model less than ideal.

According to observations, classic administrator roles are still assigned in 99% of all Azure subscriptions. This is a concerning oversight, as these roles have broad permissions that can be a security risk if not managed properly.

To make matters worse, users who have been assigned classic administrator roles may not even be aware of it. This lack of visibility can lead to security vulnerabilities and make it difficult to track who has access to sensitive resources.

To find out who the account billing administrator is for a subscription, you can follow these steps:

It's essential to regularly review and update role assignments to ensure that only authorized users have access to sensitive resources. This includes assigning the Owner role to users who need full access to all resources in a subscription.

In Azure, the Co-Administrator role provided full access to manage resources within an Azure subscription, similar to the Service Administrator, but without access to billing and support information.

This means that in Azure RBAC, you may need to assign multiple roles to achieve a similar level of access control.

The Contributor Role grants users permissions to manage resources within an Azure subscription, including creating, modifying, and deleting resources, but without permissions to manage access control, billing, or support.

The Billing Reader Role provides read-only access to billing information and cost management data within an Azure subscription.

Here's a comparison of the Co-Administrator, Contributor, and Billing Reader Roles:

If you're having trouble changing the account admin in your Azure subscription, check if the user you're trying to add as admin has a valid Azure Active Directory (Azure AD) account.

Make sure the user is not a member of the Azure AD Free plan, as this plan is not eligible for subscription management roles.

Before proceeding, ensure you have the necessary permissions to make changes to the subscription, specifically the "Owner" role.

If you're getting an error message saying "The user is not a member of the subscription", verify that the user is a member of the Azure AD tenant associated with the subscription.

Double-check that the user's Azure AD account is active and not locked out due to too many failed login attempts.

The Azure RBAC model provides more granular access control over Azure resources, allowing organizations to assign roles with specific permissions to users, groups, and applications.

You can assign users to one or more default Azure RBAC roles, which grant them access to Azure resources. Some commonly used default Azure RBAC roles include Owner and Contributor.

The Owner role grants full control over Azure resources, while the Contributor role allows users to manage everything except access to resources. You can also create your own custom Azure RBAC roles without requiring an extra upgrade.

Here are some key default Azure RBAC roles and their definitions:

Note that Entra ID roles do not overlap with Azure RBAC roles, except for the Global Administrator role, which can elevate access to Azure RBAC roles.

Azure Resource Permissions are managed in two ways: Classic Administrator Roles and Role-Based Access Control (RBAC). The Classic Administrator Roles, which include Account Admin, Service Admin, and Co-Admins, are being phased out, with the Service Admin and Co-Admin roles set to be retired on August 31, 2024.

The Classic Account Admin role will remain, but it's worth noting that it's being replaced by the RBAC system. RBAC provides more granular access control over Azure resources, allowing organizations to assign roles with specific permissions to users, groups, and applications.

One of the default roles in RBAC is the Owner role, which provides "full control" permissions at the assigned level. This means that if you assign a user to the Owner role at the Subscription level, they will have full control over every resource in that Subscription.

The Owner role is essentially "full control" permissions at the assigned level, according to Microsoft's definition. This includes the ability to manage everything, including access to resources.

Here are some key features of the Owner role:

Another default role in RBAC is the Contributor role, which provides the ability to manage everything except access to resources. This means that users assigned to the Contributor role will be able to perform most actions, but will not have the ability to manage access to resources.

Custom roles can also be created within RBAC, allowing organizations to fine-tune permissions and create roles that meet their specific needs. This is especially useful for organizations that need to manage access to sensitive resources or data.

Entra ID comes with a lot of default roles that you can assign to users to grant them access to the system.

These roles include Global administrator, Application administrator, and User administrator.

The Global administrator role essentially gives full control permissions to Entra ID, as well as other Microsoft services that use Entra ID identities.

Microsoft defines the Global administrator role as someone who can manage all aspects of Entra ID and Microsoft services that use Entra ID identities.

By default, the person who initially signs up for the Entra ID tenant is automatically granted the Global administrator role.

You can create your own custom Entra ID roles, but you need to buy an upgrade to Premium P1 or P2 licensing to do so.

Here are some key Entra ID roles and their definitions:

Entra ID roles can also control access to Microsoft applications, such as Microsoft 365 (Office 365), if a user is assigned the Global Administrator role.

Note that Entra ID roles do not overlap with Azure RBAC roles, but there is an exception: an Entra ID Global Administrator can elevate their own access, which will automatically grant them the Azure RBAC role of 'User Access Administrator' at the "Root" level.