Learn the different Azure account roles, including the rights each role provides. The demonstration will outline determining who is the Account Administrator or the Service Administrator.
- [Instructor] Securing your Azure account and subscriptions is critical to ensure that users only have access to what they actually need. Before we get started, let's take a look at the Azure organization of accounts and subscriptions. First of all, we have our Azure account. This is our top level account. The account administrator has access to this account. The Azure account then as access to all the subscriptions which in turn have a service administrator. Now that we understand a little bit about how this goes together, let's get into the details.
First working at that top level and working down, we have an account administrator or AA. This is the person who signed up for Azure. They can create and cancel subscriptions. They can change the billing information and they can edit the service administrator. In Azure Active Directory, the account administrator is also known as the global admin or company admin and you can only have one account administrator per user account. This is something to keep in mind when you go and create an Azure account for your company.
Next, we have our service administrator. They manage services within Azure. They cannot modify subscriptions. They cannot change the billing information and the account administrator is that service administrator until it is changed and I'm going to show you that in a moment. And you can only have one service administrator per Azure subscription. And finally, for those of you who may be working in the classic portal or may actually be exposed to the classic portal, we had a role called a co-administrator.
Again, this is only available in that classic portal. It has the same functionality as the service administrator. They cannot change the Azure subscription and you can have up to 200 co-administrators in a subscription. If you're still working within the classic portal, I highly recommend that you go through your co-administrator list and ensure the users that no longer need that co-administrator account are removed. Let's go ahead and pop into Azure and take a look at this with some live data. The best place to start here is in Azure subscriptions.
You'll notice here I have three subscriptions and I'm going to work in the pay-as-you-go subscription and if I scroll all the way down to Properties, I can see it is active and if I scroll down a little bit further, I can see the account admin is my account and the service admin is also my account. You'll notice I cannot edit these here. Even though there's a little edit button up at the top, these are not editable fields. In order to edit the service administrator, I'm going to click in Overview and then Manage.
When you see the box with the arrow, this means that you'll be pushed to a different portal. In our case, we're going to be pushed over to the billing portal. I'm now in the summary for my pay-as-you-go service and in order to change my service administrator, I need to go into Edit Subscription Details and this is where I change my service administrator. Once I have changed that account, I would go ahead, click the check box, and that's it. You'll now have a new service administrator assigned to your subscription.
- Implementing Azure Resource Manager templates
- Creating a template from a deployment
- Deploying a template using the portal
- Deploying a template using PowerShell
- Using Azure Quickstart Templates
- Using service principals
- Locking Azure resources
- Securing Azure subscriptions
- Azure active directory roles
- Designing custom RBAC roles