Assign administrator roles overview

- [Instructor] Administrators are the keepers of our Azure resources and we can assign various permissions to our administrators and in turn to our users but before I show you how to assign administrative roles, let's explore some of the roles that you could be exposed to in Azure. And there are three administrator roles that you need to be aware of. There's the Classic roles, the Azure RBAC roles, and the Azure Active Directory administrative roles. The Classic roles are only found if you use the Classic portal which Microsoft does not recommend.

If you're taking an Azure exam, the Classic portal is not included in the exam but you should be aware of the administrative roles just in case you come across them in your day-to-day job roles. And the accounts that you'll find in the Classic portal include the account administrator, and this account has full access, the service administrator, this user can manage services and assign users to the co-admin role, and that leads us into the co-administrative role which is the same as a service administrator but does have some limitations.

Now that the Classic roles are behind us, we can now focus in on what you'll see and use in Azure today starting off with Role-Based Access Control or RBAC. There are three main RBAC roles. There's the owner role, the contributor and the reader. There is also a special RBAC role called the User Access Administrator. We'll cover that special role in a few moments. In addition, there are 70 built-in roles and if those roles do not provide enough granularity, you can create your own custom roles.

Let's go ahead and explore each of these key RBAC roles. If you're studying for an Azure exam, you'll want to know these roles in detail and we'll start off with the owner role. The owner has full access to all of the resources and can delegate access to others. For those who come from the Classic version of Azure, the owner is equivalent to the service administrator or co-administrator role. Next, we have the contributor role. If a user has this role assigned to them, they cannot delegate access to other users but they can create and manage resources and rounding up the three default roles is the reader role.

A user with this right can view Azure resources only. I mentioned earlier the special user access administrator role. This is a special account that allows you to access all the Azure resources at the root scope. Microsoft highly recommends that you only use this user access role when you need to access other resources outside of what you currently can access. This is for temporary use only.

Now we move on to the Azure Active Directory administrator roles. and the Azure Active Directory administrators can manage the Azure Active Directory resources. They can create, edit, reset user passwords, manage licenses, et cetera. In addition, there are several Azure Active Directory roles that you can also assign and these would include a global admin, billing, device administrators, information protection administrators, user account administrators et cetera. When you assign these roles, only include the privileges required to perform a specific action.

And finally, the last administrator role that we're going to cover here is the service administrator role. The service administrator is the same as the account administrator. That is the person who signed up for the Azure account to begin with. Typically, the only reason we would change the service administrator or assign it to another user is if we're doing a migration and we need someone out to manage the portal because if the service administrator is changed, the account administrator will lose access to that portal and the service administrator cannot add a user who is not in the current directory, so keep this in mind when you're planning this out and assigning the service admin role to a new user because they can only add users who are in the same directory.

In our example here, if sharon@bennettbiz is the service administrator, she can add users in bennettbiz.ca such as Watson but she could not add in watson@oldbennettbiz.ca. The key takeaways from this chapter is to understand the difference between an Azure Directory administrator versus an RBAC role. In the next lesson, we'll actually go ahead and configure and assign some of these roles and administrative rights.