Permissions to Azure AD and permissions to Azure Resources are handled separately. They each have their own different access roles that can be assigned. Going even further, there are two separate ways you can assign permissions to Azure Resources, an old way (Classic Administrator roles) and a new (RBAC roles). It took me a while to wrap my head around how everything works together. In this blog post, I hope to clearly outline all of the pieces and how they interact with each other.
Azure AD permissions
Out of the box, Azure AD comes with a lot of default roles. You can assign users to one or more of these roles and that will grant them access to Azure AD. Some of the commonly used default Azure AD roles include:
Global administrator
This is essentially “full control” permissions to Azure AD (as well as other things, but more on that later).
Microsoft’s definition: Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
By default, the person who initially signs up for the Azure AD tenant is automatically granted the Global administrator role.
Application administrator
Microsoft’s definition: Can create and manage all aspects of app registrations and enterprise apps.
User administrator
Microsoft’s definition: Can manage all aspects of users and groups, including resetting passwords for limited admins.
You are able to create your own custom Azure AD roles. However, in order to do so, you need to buy an upgrade to Azure AD Premium P1 or P2.
Note #1: Certain Microsoft applications will tie in with Azure AD. That means Azure AD roles can also control access to these applications. One of the biggest examples of this is Microsoft 365 (formerly known as Office 365). If a user is assigned the Global Administrator role in Azure AD, then that means they also have full rights to apps such as Exchange Online and SharePoint Online.
Note #2: Azure AD roles do not overlap with Azure RBAC roles. However, there is one exception. An Azure AD Global Administrator can elevate their own access. This elevated access will automatically grant them the Azure RBAC role of ‘User Access Administrator’ at the "Root" level. That means it will be inherited by everything below the Root level, which includes all Subscriptions and Management Groups in the entire Azure AD tenant. This applies to all existing Subscriptions and Management Groups, as well as any new ones that are created in the future.
Azure Resource permissions
First, let’s go over some brief history about Azure resource permissions. Initially, Azure managed its resource permissions by using Classic Administrator Roles. There were only 3 of these Classic Administrator Roles (Account Admin, Service Admin, and Co-Admins). But now, the new and improved way to manage Azure resource permissions is called the Role-based Access Control (RBAC) system. And even though RBAC exists, it doesn’t mean the Classic Administrator roles are going away any time soon. Microsoft has not been able to fully deprecate them quite yet. I go over the Classic Administrator roles in more detail further down in this post.
Azure RBAC comes out of the box with a whole slew of default roles. Some of the commonly used default Azure RBAC roles include:
Owner
This is essentially “full control” permissions at whatever level this role is assigned to.
Microsoft’ definition: Lets you manage everything, including access to resources.
For example, if you assign a user to the Owner role at the Subscription level, then that user will have full control over every resource in that Subscription, as RBAC roles are inherited by down-level resources.
Contributor
Microsoft’ definition: Lets you manage everything except access to resources.
Reader
Microsoft’ definition: Lets you view everything, but not make any changes.
You can also create your own custom Azure RBAC roles. No extra upgrade is required, as this is something you are able to do by default.
Remember when I said the 3 Classic Administrator roles are still around? Let’s go over them one by one:
Account Admin role
There is only 1 Account Admin per Subscription.
By default, this is granted to the account that is used to sign up for Azure.
The Account Admin is the only account that has access to the Azure Account Center portal (https://account.azure.com/Subscriptions). This is an old portal that Microsoft is slowly moving away from. However, there are still a few things that can only be done from this portal. From this portal, the Account Admin can: - Change the billing details for a Subscription. - Add new Subscriptions. - Cancel Subscriptions. - Change who is assigned to the Service Admin role.
The Account Admin has no access whatsoever to the Azure Portal. Therefore, they cannot manage Azure resources. They are essentially just like a billing administrator for the Subscription.
How to change who is assigned to the Account Admin role: you must go to your Subscription in the Azure Portal and go to the option to Transfer Billing Ownership.
How to view who is assigned to the Account Admin role: from the Azure Portal navigate to your Subscription, under the ‘Settings’ section click on ‘Properties,’ and you will see a property called ‘ACCOUNT ADMIN’
Service Admin role
There is only 1 Service Admin per Subscription.
By default, this is granted to the account that is used to sign up for Azure.
The Service Admin has full control permissions on the Subscription.
The Service Admin can: - Cancel the Subscription. - Add users to the Co-Admin role.
How to change who is assigned to the Service Admin role: one way is for the Account Admin to change this assignment from the Azure Account Center portal.
How to view who is assigned to the Service Admin role: from the Azure Portal navigate to your Subscription, under the ‘Settings’ section click on ‘Properties,’ and you will see a property called ‘SERVICE ADMIN’
Co-Administrator role
There can be up to 200 Co-Admins per Subscription.
By default, nobody is granted this role. In fact, it’s recommended that you totally forget about the Co-Administrator role and not use it. You should really be using Azure RBAC roles, instead.
The Co-Administrator has full control permissions on the Subscription.
The Co-Administrators can: - Cancel the Subscription. - Add other users to the Co-Admin role.
The Co-Administrator can NOT: - Associate the Subscription to a different Azure AD tenant.
How to add new Co-Admin role assignments: from the Azure Portal navigate to your Subscription, click on ‘Access control (IAM)’ and then click on ‘Classic Administrators.’ Finally, click on ‘Add’ and then ‘Add co-administrator’
How to view who is assigned to the Co-Admin role: from the Azure Portal navigate to your Subscription, click on ‘Access control (IAM)’ and then click on ‘Classic Administrators.’
If you were reading carefully, you would have seen that the person who initially signs up for the Azure AD tenant / Azure Subscription will get the following permissions by default:
Azure AD Role: Global Administrator
Classic Administrator Role: Account Admin
Classic Administrator Role: Service Admin
Sources: