top of page
Search
Writer's pictureNathan

Azure AD roles, Azure RBAC roles, and Classic Administrator roles

Updated: Aug 25

Permissions to Entra ID and permissions to Azure Resources are handled separately. They each have their own different access roles that can be assigned. Going even further, there are two separate ways you can assign permissions to Azure Resources: an old way (Classic Administrator roles) and the current way (RBAC roles). Please note that 2 of the 3 Classic Administrator roles are being deprecated.


In this blog post, I hope to clearly outline all of the pieces and how they interact with each other.



 

Entra ID permissions


Out of the box, Entra ID comes with a lot of default roles. You can assign users to one or more of these roles and that will grant them access to Entra ID. Some of the commonly used Entra ID roles include:


Global administrator:

  • This is essentially “full control” permissions to Entra ID (as well as other things, but more on that later).

  • Microsoft’s definition: Can manage all aspects of Entra ID and Microsoft services that use Entra ID identities.

  • By default, the person who initially signs up for the Entra ID tenant is automatically granted the Global administrator role.


Application administrator

  • Microsoft’s definition: Can create and manage all aspects of app registrations and enterprise apps.


User administrator

  • Microsoft’s definition: Can manage all aspects of users and groups, including resetting passwords for limited admins.


You can create your own custom Entra ID roles. However, in order to do so, you need to buy an upgrade to Premium P1 or P2 licensing.


Note: Certain Microsoft applications will tie in with Entra ID. That means Entra ID roles can also control access to these applications. One of the biggest examples of this is Microsoft 365 (Office 365). If a user is assigned the Global Administrator role in Entra ID, then that means they also have full rights to apps such as Exchange Online and SharePoint Online.


Note: Entra ID roles do not overlap with Azure RBAC roles. However, there is one exception. An Entra ID Global Administrator can elevate their own access. This elevated access will automatically grant them the Azure RBAC role of ‘User Access Administrator’ at the "Root" level. That means it will be inherited by everything below the Root level, which includes all Subscriptions and Management Groups in the entire Entra ID tenant. This applies to all existing Subscriptions and Management Groups, as well as any new ones that are created in the future.


 

Azure Resource permissions


First, let’s go over some brief history about Azure resource permissions. Initially, Azure managed its resource permissions by using Classic Administrator Roles. There are only 3 of these Classic Administrator Roles (Account Admin, Service Admin, and Co-Admins). Note: as of August 31, 2024 Microsoft is going to retire the Service Admin and Co-Admin classic roles. The classic Account Admin role is sticking around, for now. I discuss the classic admin roles in further detail below.


The new and improved way to manage Azure resource permissions is called the Role-based Access Control (RBAC) system. Azure RBAC comes out of the box with a whole slew of default roles. Some of the commonly used default Azure RBAC roles include:


Owner:

  • This is essentially “full control” permissions at the assigned level.

  • Microsoft’s definition: Lets you manage everything, including access to resources.

  • For example, if you assign a user to the Owner role at the Subscription level, then that user will have full control over every resource in that Subscription, as RBAC roles are inherited by down-level resources.


Contributor:

  • Microsoft’s definition: Lets you manage everything except access to resources.


Reader:

  • Microsoft’s definition: Lets you view everything, but not make any changes.


You can also create your own custom Azure RBAC roles. No extra upgrade is required, as this is something you are able to do by default.


 

Classic Administrator Roles


Account Admin:

  • There is only 1 Account Admin per Subscription.

  • By default, this is granted to the account that is used to sign up for Azure.

  • The Account Admin is the only account that has access to the Azure Account Center portal (https://account.azure.com/Subscriptions). This is an old portal that Microsoft is slowly moving away from. However, there are still a few things that can only be done from this portal. From this portal, the Account Admin can: - Change the billing details for a Subscription - Add new Subscriptions - Cancel Subscriptions - Change who is assigned to the Service Admin role

  • The Account Admin has no access whatsoever to the Azure Portal. Therefore, they cannot manage Azure resources. They are essentially just like a billing administrator for the Subscription.

  • How to change who is assigned to the Account Admin role: you must go to your Subscription in the Azure Portal and go to the option to Transfer Billing Ownership.

  • How to view who is assigned to the Account Admin role: from the Azure Portal navigate to your Subscription, under the ‘Settings’ section click on ‘Properties,’ and you will see a property called ‘ACCOUNT ADMIN’


Service Admin

  • Important: Microsoft is deprecating this classic administrator role on August 31, 2024. If the account that holds this role still needs the same level of access to the Subscription, then you'll need to grant that account the RBAC role of Owner at the Subscription scope.

  • There is only 1 Service Admin per Subscription.

  • By default, this is granted to the account that is used to sign up for Azure.

  • The Service Admin has full control permissions on the Subscription.

  • The Service Admin can: - Cancel the Subscription - Add users to the Co-Admin role

  • How to change who is assigned to the Service Admin role: one way is for the Account Admin to change this assignment from the Azure Account Center portal.

  • How to view who is assigned to the Service Admin role: from the Azure Portal navigate to your Subscription, under the ‘Settings’ section click on ‘Properties,’ and you will see a property called ‘SERVICE ADMIN’


Co-Administrator

  • Important: Microsoft is deprecating this classic administrator role on August 31, 2024. If the account(s) that holds this role still needs the same level of access to the Subscription, then you'll need to grant that account the RBAC role of Owner at the Subscription scope.

  • There can be up to 200 Co-Admins per Subscription.

  • By default, nobody is granted this role.

  • The Co-Administrator has full control permissions on the Subscription.

  • The Co-Administrators can: - Cancel the Subscription - Add other users to the Co-Admin role

  • The Co-Administrator can NOT: - Associate the Subscription to a different Azure AD tenant.

  • How to add new Co-Admin role assignments: from the Azure Portal navigate to your Subscription, click on ‘Access control (IAM)’ and then click on ‘Classic Administrators.’ Finally, click on ‘Add’ and then ‘Add co-administrator’

  • How to view who is assigned to the Co-Admin role: from the Azure Portal navigate to your Subscription, click on ‘Access control (IAM)’ and then click on ‘Classic Administrators.’


 

If you were reading carefully, you would have seen that the person who initially signs up for the Entra ID tenant / Azure Subscription will get the following permissions by default:

  • Entra ID Role of Global Administrator

  • Classic Administrator Role of Account Admin

  • As of August 31, 2024:

    • No longer assigned: Classic Administrator Role of Service Admin

    • Newly assigned: Owner RBAC role on the Subscription


 

Sources:

5,266 views
bottom of page