Azure AD Roles
There are three main types of administrative/security roles for Azure. These include classic subscription
administrator roles, Azure role-based access control (RBAC) roles, and Azure AD administrator roles.
Classic subscription administrator roles:
– Historical administrator: Roles which were originally used by Azure Service Manager
– Account administrator: Can manage/create/cancel subscriptions and change service administrator
– Service administrator: Can manage services within the Azure portal and co-administrators
– Co-administrator: Same permissions as service admin, but cannot manage classic admin roles
Azure role-based access control (RBAC) roles:
– Roles used to provide granular permissions to actual Azure resources
– For more information, take a look at RBAC roles within the Access Control page
Azure Active Directory (Azure AD) administrator roles:
– Roles for managing Azure AD itself (remember, the Azure AD tenant is separate to Azure)
– Includes a number of admin roles such as global, application, billing, etc
– Global admin provides full/unfettered access to Azure AD, and is typically required for enabling features
Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don’t have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.
When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope (
/). This allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.
You should remove this elevated access once you have made the changes you need to make at root scope.