Azure classic subscription administrators

  • Article

Important

Classic resources and classic administrators will be retired on August 31, 2024. Starting April 3, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you're still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator. For information about how to migrate your resources from classic deployment to Resource Manager deployment, see Azure Resource Manager vs. classic deployment.

This article describes how to prepare for the retirement of the Co-Administrator and Service Administrator roles and how to remove or change these role assignments.

Frequently asked questions

Will Co-Administrators and Service Administrator lose access after August 31, 2024?

  • Starting on August 31, 2024, Microsoft will start the process to remove access for Co-Administrators and Service Administrator.

What is the equivalent Azure role I should assign for Co-Administrators?

  • Owner role at subscription scope has the equivalent access. However, Owner is a privileged administrator role and grants full access to manage Azure resources. You should consider a job function role with fewer permissions, reduce the scope, or add a condition.

What is the equivalent Azure role I should assign for Service Administrator?

  • Owner role at subscription scope has the equivalent access.

What should I do if I have a strong dependency on Co-Administrators or Service Administrator?

  • Email ACARDeprecation@microsoft.com and describe your scenario.

Prepare for Co-Administrators retirement

Use the following steps to help you prepare for the Co-Administrator role retirement.

Step 1: Review your current Co-Administrators

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Use the Azure portal to get a list of your Co-Administrators.

  3. Review the sign-in logs for your Co-Administrators to assess whether they're active users.

Step 2: Remove Co-Administrators that no longer need access

  1. If user is no longer in your enterprise, remove Co-Administrator.

  2. If user was deleted, but their Co-Administrator assignment wasn't removed, remove Co-Administrator.

    Users that have been deleted typically include the text (User was not found in this directory).

    Screenshot of user not found in directory and with Co-Administrator role.

  3. After reviewing activity of user, if user is no longer active, remove Co-Administrator.

Step 3: Replace existing Co-Administrators with job function roles

Most users don't need the same permissions as a Co-Administrator. Consider a job function role instead.

  1. If a user still needs some access, determine the appropriate job function role they need.

  2. Determine the scope user needs.

  3. Follow steps to assign a job function role to user.

  4. Remove Co-Administrator.

Step 4: Replace existing Co-Administrators with Owner role and conditions

Some users might need more access than what a job function role can provide. If you must assign the Owner role, consider adding a condition to constrain the role assignment.

  1. Assign the Owner role at subscription scope with conditions to the user.

  2. Remove Co-Administrator.

Prepare for Service Administrator retirement

Use the following steps to help you prepare for Service Administrator role retirement. To remove the Service Administrator, you must have at least one user who is assigned the Owner role at subscription scope without conditions to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.

Step 1: Review your current Service Administrator

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Use the Azure portal to get your Service Administrator.

  3. Review the sign-in logs for your Service Administrator to assess whether they're an active user.

Step 2: Review your current Billing account owners

The user that is assigned the Service Administrator role might also be the same user that is the administrator for your billing account. You should review your current Billing account owners to ensure they are still accurate.

  1. Use the Azure portal to get your Billing account owners.

  2. Review your list of Billing account owners. If necessary, update or add another Billing account owner.

Step 3: Replace existing Service Administrator with Owner role

Your Service Administrator might be a Microsoft account or a Microsoft Entra account. A Microsoft account is a personal account such as Outlook, OneDrive, Xbox LIVE, or Microsoft 365. A Microsoft Entra account is an identity created through Microsoft Entra ID.

  1. If Service Administrator user is a Microsoft account and you want this user to keep the same permissions, assign the Owner role to this user at subscription scope without conditions.

  2. If Service Administrator user is a Microsoft Entra account and you want this user to keep the same permissions, assign the Owner role to this user at subscription scope without conditions.

  3. If you want to change the Service Administrator user to a different user, assign the Owner role to this new user at subscription scope without conditions.

  4. Remove the Service Administrator.

View classic administrators

Follow these steps to view the Service Administrator and Co-Administrators for a subscription using the Azure portal.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab to view a list of the Co-Administrators.

    Screenshot of Access control (IAM) page with Classic administrators tab selected.

Remove a Co-Administrator

Important

Classic resources and classic administrators will be retired on August 31, 2024. Starting April 3, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

Follow these steps to remove a Co-Administrator.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab to view a list of the Co-Administrators.

  5. Add a check mark next to the Co-Administrator you want to remove.

  6. Select Remove.

  7. In the message box that appears, select Yes.

    Screenshot of message box when removing a Co-Administrator.

Add a Co-Administrator

Important

Classic resources and classic administrators will be retired on August 31, 2024. Starting April 3, 2024, you won't be able to add new Co-Administrators. This date was recently extended. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.

You only need to add a Co-Administrator if the user needs to manage Azure classic deployments by using Azure Service Management PowerShell Module. If the user only uses the Azure portal to manage the classic resources, you won’t need to add the classic administrator for the user.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

    Co-Administrators can only be assigned at the subscription scope.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab.

    Screenshot of Access control (IAM) page with Classic administrators tab selected.

  5. Select Add > Add co-administrator to open the Add co-administrators pane.

    If the Add co-administrator option is disabled, you don't have permissions.

  6. Select the user that you want to add and select Add.

    Screenshot of Add co-administrator pane to add a Co-Administrator.

Add a guest user as a Co-Administrator

To add a guest user as a Co-Administrator, follow the same steps as in the previous Add a Co-Administrator section. The guest user must meet the following criteria:

  • The guest user must have a presence in your directory. This means that the user was invited to your directory and accepted the invite.

For more information, about how to add a guest user to your directory, see Add Microsoft Entra B2B collaboration users in the Azure portal.

Before you remove a guest user from your directory, you should first remove any role assignments for that guest user. For more information, see Remove an external user from your directory.

Differences for guest users

Guest users that have been assigned the Co-Administrator role might see some differences as compared to member users with the Co-Administrator role. Consider the following scenario:

  • User A with a Microsoft Entra account (work or school account) is the Service Administrator for an Azure subscription.
  • User B has a Microsoft account.
  • User A assigns the Co-Administrator role to user B.
  • User B can do almost everything, but is unable to register applications or look up users in the Microsoft Entra directory.

You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Microsoft Entra ID as compared to member users. For example, member users can read other users in Microsoft Entra ID and guest users cannot. Member users can register new service principals in Microsoft Entra ID and guest users cannot.

If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Microsoft Entra roles the guest user needs. For example, in the previous scenario, you could assign the Directory Readers role to read other users and assign the Application Developer role to be able to create service principals. For more information about member and guest users and their permissions, see What are the default user permissions in Microsoft Entra ID?. For more information about granting access for guest users, see Assign Azure roles to external users using the Azure portal.

Note that the Azure built-in roles are different than the Microsoft Entra roles. The built-in roles don't grant any access to Microsoft Entra ID. For more information, see Understand the different roles.

For information that compares member users and guest users, see What are the default user permissions in Microsoft Entra ID?.

Change the Service Administrator

Only the Account Administrator can change the Service Administrator for a subscription. By default, when you sign up for an Azure subscription, the Service Administrator is the same as the Account Administrator.

The user with the Account Administrator role can access the Azure portal and manage billing, but they can't cancel subscriptions. The user with the Service Administrator role has full access to the Azure portal and they can cancel subscriptions. The Account Administrator can make themself the Service Administrator.

Follow these steps to change the Service Administrator in the Azure portal.

  1. Sign in to the Azure portal as the Account Administrator.

  2. Open Cost Management + Billing and select a subscription.

  3. In the left navigation, select Properties.

  4. Select Change service admin.

    Screenshot of subscription properties page that shows option to change Service Administrator.

  5. In the Edit service admin page, enter the email address for the new Service Administrator.

    Screenshot of Edit service admin pane to change Service Administrator.

  6. Select OK to save the change.

Remove the Service Administrator

To remove the Service Administrator, you must have a user who is assigned the Owner role at subscription scope without conditions to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab.

  5. Add a check mark next to the Service Administrator.

  6. Select Remove.

  7. In the message box that appears, select Yes.

    Screenshot of remove classic administrator message when removing a Service Administrator.

Next steps