# IT:AD:Azure:Security:Role:Administration:Service Co-Administrator (CA) #
* [[../|(UP)]]
{{indexmenu>.#2|nsort tsort}}
* See also:
* [[IT/AD/Azure/Security/Role/Administration/]]
* [[IT/AD/Azure/Security/Role/Administration/Account Administrator/]]
* [[IT/AD/Azure/Security/Role/Administration/Service Administrator/]]
* [[IT/AD/Azure/Subscription/]]
One of the 3 [[IT/AD/Azure/Security/Role/Administration/|Administration Roles]] ((https://azure.microsoft.com/en-us/documentation/articles/billing-add-change-azure-subscription-administrator/)).
A *Service Co-Administrator* has exactly the same rights as a [[IT/AD/Azure/Security/Role/Administration/Service Administrator/|Service Administrator (SA)]], bar adding/removing other *Service Co-Administrator* (or the *Service Administrator*).
In other words, they can set up *Services/Resources*, but cannot see the *Billing* information.
The use of Service Co-Administrators is pretty much deprecated. Consider using [[IT/AD/Azure/Security/Role/BuiltIn/Contributor/]] or [[IT/AD/Azure/Security/Role/BuiltIn/Owner/]] roles.
## Notes ##
When a new [[IT/AD/Azure/Subscription/|Subscription]] is created, it will have an [[IT/AD/Azure/Security/Role/Administration/Account Administrator/|Account Administrator]] and a [[IT/AD/Azure/Security/Role/Administration/Service Administrator/|Service Administrator]], but no [[IT/AD/Azure/Security/Role/Administration/Service Co-Administrator/|Service Co-Administrator]]. They have to be added in a different way:
* [[IT/AD/Azure/Subscription/HowTo/Add a Co-Administrator]]
A [[IT/AD/Azure/Security/Role/Administration/Service Administrator/|Service Administrator (SA)]] (of which there are only 1) can set up to 200 *Service Co-Administrators*.
[[IT/AD/Azure/Security/Role/Administration/Service Co-Administrator/|Service Co-Administrator (CA)]] have the same permissions as the [[IT/AD/Azure/Security/Role/Administration/Service Administrator/|Service Administrator (SA)]] (ie, can create Services) -- bar adding/removing Co-Administrators.
The reason for the split between [[IT/AD/Azure/Security/Role/Administration/Service Administrator/|Service Administrator (SA)]] and [[IT/AD/Azure/Security/Role/Administration/Service Co-Administrator/|Service Co-Administrator (CA)]]s is an artificial way of defining which Admin can revoke service creation rights from others -- without it happening it him/her in return.
!includeurl http://skysigal.com/_media/resources/configuration/plantuml/default.txt
skinparam packageStyle rect
hide circles
class Subscription {
Account Administrator : Account
Service Administrator : Account
Co-administrators : Account[]
}
class Account
Subscription o-- "1-*" Account
### Relationship to BuiltIn Roles ###
As stated above, the allocation of this legacy [[IT/AD/Azure/Security/Role/Administration/|Administration Role]] should be deprecated as much as feasible, in favour of the most appropriate newer [[IT/AD/Azure/Security/Role/BuiltIn/|BuiltIn]] role (ie the [[IT/AD/Azure/Security/Role/BuiltIn/Owner/]] role).
But -- as stated elsewhere (([[IT/AD/Azure/Security/Role/Administration/]])) -- if a user has no legacy *Administrator Role* of any kind (which is what happens when you update them from [[IT/AD/Azure/Security/Role/Administration/Service Co-Administrator/|Service Co-Administrator (CA)]] role to [[IT/AD/Azure/Security/Role/BuiltIn/Owner/|Owner]] builtin role, you end up *locking them out of the [[IT/AD/Azure/Portal/Classic Portal/|Classic Portal]]*:
{{ :IT:AD:Azure:Security:Role:service_co-administrator:azure-no-sub.png?direct&200 |}}
Due to this lockout, it is sometimes suggested on the web that AD admins be left as [[IT/AD/Azure/Security/Role/Administration/Service Co-Administrator/|CAs]]. **That's not usually required in Enterprises**, as There is another way to administer AD -- via the [[IT/AD/O365/Portals/|Office 365 Portal]]
That said, if you need to Admin ServiceBuses and other features not ported over from the [[IT/AD/Azure/Portal/Classic Portal/|Classic Portal]] to the [[IT/AD/Azure/Portal/Service Portal/]], then yes...the admin has to be a [[IT/AD/Azure/Security/Role/Administration/Service Co-Administrator/|Service Co-Administrator]].
### Relationship to Azure AD Roles
Remembering that the Azure AD Service is not the same Service as AD itself is...not obvious.
Whereas the the creator of an Azure AD (which is generally the [[IT/AD/Azure/Security/Role/Administration/Account Administrator/]]) is automatically made a [[IT/AD/Azure AD/Roles/Administration/|Azure AD Global Administrator]], others won't be -- unless manually added and provisioned with an Azure AD administration role (they won't even see an AD to manage in their Portal)((http://www.edutech.me.uk/microsoft/identity-and-access-management/active-directory/microsoft-azure-how-subscription-administrators-directory-administrators-differ/)).
## Resources ##
* https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/
* https://blog.kloud.com.au/2015/10/16/azure-security-fundamentals-moving-co-admins-to-rbac/