Managing Azure Subscriptions
The Service Admin can
Access the azure portal and assign users the Co-Administrator role
add a Co-Owner in Azure Subscription
All resources > Subscriptions > Select Subscription > Access control (IAM) > Right click on an Owner > Add as co-admin Removing co-admins follow the same steps
Assign Owner Role in RBAC
All resources > Subscriptions > Select Subscription > Access control > add > Select Owner in Role box > Assign access to box > Select Azure user, group, or application > Select box > Enter Email or select user to add > Save You can narrow scope by adding to resource group instead of subscription.
Adding someone as an Administrator for an Azure Subscription
Assign them the Owner RBAC roll at the subscription scope Does not have access to other Subscriptions
RBAC (Role Based Access Control)
Duty Segregation Only the level of access needed for the job Permissions can be scoped to specific resources or activities
Account Admin
Has access to account center Can manage all subscriptions in an azure account Create new subscriptions Cancel Existing Subscriptions Change billing Change the service administrator account
Can a co-administrator change the association of subscriptions to azure directories ?
No
Can a co-administrator change the service administrator?
No, it can only be changed by the Account Administrator
Does the Account admin have access to the Azure portal?
No, the Service admin has access to the portal by default the service admin is the account admin unless changed
How many Service Administrators can an Azure Subscription have?
One
What can a Service administrator do?
Open support requests with Microsoft for azure and office 365 View the service dashboard and message center View only permissions except for opening support tickets and reading them Those assigned to the Exchange Online, SharePoint Online, and Skype for Business admin roles should also be assigned the service admin role so that they can view critical information in the Office 365 admin center, including health of the service and change and release notifications.
Three Key Administrator Roles
The Account Used to sign up for Azure is both -Account Admin -Service Admin Can be added to the subscription -Co-Admin The Service Admin & Co-Admin have the same access as users who have been assigned the Owner role These Admin have full access to Azure Subscription
True of False The Azure Security Center creates a default security policy automatically for each Azure subscription
True
Can a co-administrator assign users the co-administrator role?
Yes
Change account admin
select subscription in the Azure portal, and look under settings Click properties The account administrator for the subscription is shown in the account admin box. To change the account admin sign in to the Azure account center as an account admin. The Azure account center is located at account.windowsazure.com/Subscriptions Select the subscription Click transfer subscription specify the recipient Click finish to begin the process NOTE: warning about RBAC assignments. The recipient will receive an email with an acceptance link. After clicking the acceptance link, the recipient should follow the instructions, entering their payment information. When the recipient finishing following the instructions, the subscription is then transferred, and the recipient is the new account admin.
Change the service administrator
sign into the Azure Account Center as the account administrator select a subscription on the right side select Edit Subscription Details In the Service Administrator box provide the email address of the new service administrator.
How many Co-Admins can be added in a subscription?
up to 200
Does a co-admin have to be assigned the owner role in RBAC?
yes
