Table of Contents

IT:AD:Azure:Security:Role:Administration:Service Administrator (SA)

Summary

One of the 3 Administration Roles 1).

When a Subscription is created, the same Account used for the Account Administrator (AA) is used to set up the Subscription's Service Administrator (SA).

Notes

There is only one Service Administrator (SA).

Can do all that an Account Administrator (AA) can – bar see the billing information.

Can in turn set up to 200 Service Co-Administrators (CAs).

Service Co-Administrator (CAs)s have the same permissions as the Service Administrator (SA) (ie, can create Services) – bar adding/removing Service Co-Administrators (CAs).

The reason for the split between Service Administrator (SA) and Service Co-Administrators (CAs) is an artificial way of defining which Admin can revoke service creation rights from others – and not have it done to him/her…

SubscriptionAccount Administrator : AccountService Administrator : AccountCo-administrators : Account[]Account1-*

Relationship to Azure AD Roles

Remembering that the Azure AD Service is not the same Service as AD itself is…not obvious.

Whereas the the creator of an Azure AD (which is generally the IT:AD:Azure:Security:Role:Administration:Account Administrator (AA)) is automatically made a Azure AD Global Administrator, others won't be – unless manually added and provisioned with an Azure AD administration role (they won't even see an AD to manage in their Portal)2).

Resources

1)
https://azure.microsoft.com/en-us/documentation/articles/billing-add-change-azure-subscription-administrator/
2)
http://www.edutech.me.uk/microsoft/identity-and-access-management/active-directory/microsoft-azure-how-subscription-administrators-directory-administrators-differ/