Add or modify Azure administrator roles for managing subscriptions or services
During the sign-up process, users purchasing online subscriptions create an organization ID (OrgID), which is the Azure account ID and an Azure account can manage several standard Pay-in-advance subscriptions.The OrgID is owned by the account administrator (AA), who can manage accounts and subscriptions, as well as perform tasks such as deploying services for each subscription.This article explains the main tasks and operating processes for account managers performing subscription management.
Azure accounts have three roles that are applicable to all resources: owner, contributor and reader.As described in the following table, each role corresponds to its own permission level.You can grant access permissions by assigning a role to a specific range of users, groups, and apps.A maximum of 2,000 roles can be allocated to each subscription.
| Role | Description |
|---|---|
| Account administrator | An AA has OrgID logon details and is able to access the Account Center and perform a variety of management tasks.For example, an AA can create subscriptions, cancel subscriptions, modify subscription fees, create users, and assign users their roles. The AA can also deploy services for each subscription. |
| Owner | Owner has full access to all resources including the right to delegate access to others. |
| Contributor | Contributor can create and manage all types of Azure resources but can’t grant access to others. |
| Reader | Reader can view existing Azure resources within an individual subscription, but the reader cannot deploy services or assign user roles. |
Add a user
In the Azure portal, in the left pane, select Azure Active Directory. (If this option is unavailable, select More Services, and then type Azure Active Directory in the search box.)
Select Users and groups.
Select All users, and then select New user.
Enter the user details, and then select Create.The user name format must be consistent with both your OrgID and the suffix after the at sign (@).
You can view the details of the newly created user in the user list.
Assign a user role
Sign in to the Azure portal, select Subscription in the left pane, and then select the subscription that you want to rename.
Select Access Control (Identity & Access Management), and then select Add.
On the Add permissions form, select the corresponding role and the Azure Active Directory account, and then select Save to finish assigning the corresponding role to the account.
After you have completed the setup process, a pop-up message confirms that you have added user permissions.
Delete user access permissions
Sign in to the Azure portal, select Subscription in the left pane, and then select the subscription that you want to rename.
To view a list of roles that are authorized for the subscription, select Access Control (Identity & Access Management).
Select the role that you want to delete, and then select Delete.
To complete the deletion, select Yes.
After you have completed the process, a pop-up message confirms that you have deleted user permissions.
View user roles and access permissions
Sign in to the Azure portal, select Subscription in the left pane, and then select the subscription that you want to rename.
Select Access Control (Identity & Access Management). All the users for the subscription and their roles are displayed at the right.
Learn more:
Change subscription contact methods for account administrators
Contact Support.
If you still need help to resolve your issue, contact our support team.