If you have ever tried to go to Access Control (IAM) panel for any Azure resource, then you might have seen a lot of different tabs and roles and role types. For a person who is new to Azure, it is really confusing to understand what these roles means.
In this article, let’s try to see different types of roles, and what do they mean.
Azure Account vs Subscriptions
Accounts and subscriptions are managed in the Azure Account Center. For people who are new to Azure, the obvious question can be if they are same or different.
An account represents the billing relationship. An Azure account is a user identity, one or more Azure subscriptions, and an associated set of Azure resources.
Azure subscriptions help you organize access to Azure resources. They also help you control how resource usage is reported, billed, and paid for.
Each Azure service that you create, needs a subscription ID. Every Azure resource is part of a subscription.
Every subscription can also have different payment and billing setup. So one account created by one organization can have multiple subscriptions, each for a project, or application or department.
Each subscription also has an associated Azure Active Directory.
I hope we have some basic information about account and subscription. Let’s now have a look at classic roles.
Overview of Classic Roles
When Azure was launched, it was launched with three roles
- Account Administrator,
1 per Azure account
, can create subscriptions, cancel subscriptions or can billing of a subscription. it can also change the service administrator. This administrator also has access the Azure Account Center - Service Administrator,
1 per subscription
, who manages services in the subscription and also has ability to cancel the subscription. This administrator can also assign users to co-administrator role. For a new subscription, the account administrator is by default the service administrator too. - Co-Administrator, can assign users to the Co-Administrator role, but they cannot change service administrator. They also cannot change association of subscriptions to Azure directories.
In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the Classic administrators tab.
Overview of Azure Roles
Later, Azure had more fine grained authorization system based on roles, Azure RBAC, which was built on Azure Resource Manager. This system has more than 70 roles. There are four fundamental roles, out of which, first three apply to all resource types:
- Owner, full scope, full access to all resources and can also delegate access to other users.
System administrators
andCo-Administrators
from the classic roles, have owner access at subscription level. - Contributor, creates and manages all types of Azure resources , but cannot grant access to other users. Contributor can also create new tenant in Azure AD.
- Reader, has ability to view all resources, but cannot modify anything.
- User Access Administrator, manages user access to Azure resources
Rest of the roles are very specific to Azure resource type e.g. Virtual Machine contributor can only create virtual machines. For a list of all the built-in roles, see Azure built-in roles.
Only the Azure portal and the Azure Resource Manager APIs support Azure RBAC. Users, groups, and applications that are assigned Azure roles cannot use the Azure classic deployment model APIs.
In the Azure portal, role assignments using Azure RBAC appear on the Access control (IAM) blade. This blade can be found throughout the portal, such as management groups, subscriptions, resource groups, and various resources.
Overview of Azure AD Roles
While Azure roles allow to manage Azure resources, Azure AD roles are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains.
In the Azure portal, you can see the list of Azure AD roles on the Roles and administrators blade. For a list of all the Azure AD roles, see Administrator role permissions in Azure Active Directory.
Let’s have a look at important Azure roles:
- Global Administrator, manages access to administrative features in Azure active directory. This admin can also assign administrator roles to others. They can also reset password for any user in Azure AD.
- User Administrator, create and manage users or groups. They can monitor service health and can also manage support tickets. They can change passwords for users, Help Desk Administrators and other User Administrators.
- Billing Administrator, they manage subscription and make purchases. They can also manage support tickets and also monitor service health.
I hope this provides you sufficient information on what these roles mean. Let me know your thoughts.