it:ad:azure:security:role:administration:service_co-administrator:home

IT:AD:Azure:Security:Role:Administration:Service Co-Administrator (CA)

Summary

One of the 3 Administration Roles 1).

A Service Co-Administrator has exactly the same rights as a Service Administrator (SA), bar adding/removing other Service Co-Administrator (or the Service Administrator).

In other words, they can set up Services/Resources, but cannot see the Billing information.
The use of Service Co-Administrators is pretty much deprecated. Consider using IT:AD:Azure:Security:Role:BuiltIn Roles:Contributor or IT:AD:Azure:Security:Role:BuiltIn Roles:Owner roles.

Notes

When a new Subscription is created, it will have an Account Administrator and a Service Administrator, but no Service Co-Administrator. They have to be added in a different way: * Add a Co-Administrator

A Service Administrator (SA) (of which there are only 1) can set up to 200 Service Co-Administrators.

Service Co-Administrator (CA) have the same permissions as the Service Administrator (SA) (ie, can create Services) – bar adding/removing Co-Administrators.

The reason for the split between Service Administrator (SA) and Service Co-Administrator (CA)s is an artificial way of defining which Admin can revoke service creation rights from others – without it happening it him/her in return.

SubscriptionAccount Administrator : AccountService Administrator : AccountCo-administrators : Account[]Account1-*

Relationship to BuiltIn Roles

As stated above, the allocation of this legacy Administration Role should be deprecated as much as feasible, in favour of the most appropriate newer BuiltIn role (ie the IT:AD:Azure:Security:Role:BuiltIn Roles:Owner role).

But – as stated elsewhere 2) – if a user has no legacy Administrator Role of any kind (which is what happens when you update them from Service Co-Administrator (CA) role to Owner builtin role, you end up locking them out of the Classic Portal:

Due to this lockout, it is sometimes suggested on the web that AD admins be left as CAs. That's not usually required in Enterprises, as There is another way to administer AD – via the Office 365 Portal

That said, if you need to Admin ServiceBuses and other features not ported over from the Classic Portal to the IT:AD:Azure:Portal:Service Portal, then yes…the admin has to be a Service Co-Administrator.

Relationship to Azure AD Roles

Remembering that the Azure AD Service is not the same Service as AD itself is…not obvious.

Whereas the the creator of an Azure AD (which is generally the IT:AD:Azure:Security:Role:Administration:Account Administrator (AA)) is automatically made a Azure AD Global Administrator, others won't be – unless manually added and provisioned with an Azure AD administration role (they won't even see an AD to manage in their Portal)3).

Resources

1)
https://azure.microsoft.com/en-us/documentation/articles/billing-add-change-azure-subscription-administrator/
2)
IT:AD:Azure:Security:Role:Administration Roles
3)
http://www.edutech.me.uk/microsoft/identity-and-access-management/active-directory/microsoft-azure-how-subscription-administrators-directory-administrators-differ/
  • /home/skysigal/public_html/data/pages/it/ad/azure/security/role/administration/service_co-administrator/home.txt
  • Last modified: 2023/11/04 03:02
  • by 127.0.0.1