Assign administrator permissions
Azure has many different roles for managing access to Azure resources. These include classic subscription administrative roles like Account Administrator, Service Administrator, or Co-Administrator, as well as Azure role-based access controls (RBAC) that are available in Azure Resource Manager (ARM). Note that classic roles and resources are scheduled to be
deprecated in August 2024. When managing access to Azure subscriptions and resources, it is recommended to use Azure RBAC roles whenever possible.
Classic subscription administrators have full access to an Azure subscription. They can manage resources through the Azure portal, Resource Manager APIs (including through PowerShell and the CLI), and the classic deployment model APIs.
By default, the account that is used to sign up for an Azure subscription is automati- cally set as both the Account Administrator and the Service Administrator. They both are authorized to perform subscription management activities, but creation of new Azure subscriptions and billing changes can be performed only by the Account Administrator. There can be only one Account Administrator per account and one Service Administrator per subscription.
Once the subscription has been created, more Co-Administrators can be added. The Co- Administrator has the same level of access as the Service Administrator but cannot change the association of subscriptions to Azure directories. There can be up to 200 Co-Administrators per subscription.
Users assigned with the Service Administrator and Co-Administrator roles have the same access as a user who is assigned the Azure RBAC Owner role at the subscription scope.
In the Azure portal, you can view the current assignments for the Account Administrator and Service Administrator roles by browsing to a subscription in the Azure portal and selecting the Properties blade, as seen in Figure 1-51.
FIGURE 1-51 Azure subscription properties
Built-in Azure RBAC roles
Azure RBAC roles are more flexible than classic administrator roles and allow for more fine- grained access management. Azure RBAC has more than 70 built-in roles, but there are four foundational roles, as shown in Table 1-4.
TABLE 1-4 Azure RBAC roles
Azure RBAC role | Permissions | Notes |
Owner | Full access to all resourcesDelegate access to others | The Service Administrator and Co- Administrators are assigned the Owner role at the subscription scope.Applies to all resource types. |
Contributor | Create and manage all types of Azure resourcesCannot grant access to others | Applies to all resource types. |
Reader | View Azure resources | Applies to all resource types. |
User Access Administrator | Manage user access to Azure resources |