Assigning administrator roles in Azure AD

  • Article

Updated: August 31, 2015

Applies To: Azure

Important

Please bear with us as we migrate this and other content to the Microsoft Azure website. This topic is no longer being updated and might become out of date. Please bookmark the updated Azure article on this subject, Assigning administrator roles in Azure AD.

When you assign an admin role using any of the portals (or cmdlets), it is important you understand that this change will be tenant-wide, so assigning an admin role in one portal will grant the user the same permissions across all of the services that your organization has subscribed to. For more information about how your tenant works, see Administering your Azure AD tenant.

Depending on the size of your company, you may want to designate several administrators who serve different functions. These administrators will have access to various features in the Azure Management Portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains, among other things.

The following administrator roles are available:

  • Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

    Note

    The billing administrator role does not allow the designated user to manage Azure subscriptions or billing. Only the account administrator for the Azure subscription can do this. For more information, see What are the different Azure administrative roles, and what can each one do?.

  • Global administrator: Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

  • Password administrator: Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

  • Service administrator: Manages service requests and monitors service health.

    Note

    To assign the service administrator role to a user, the global administrator must first assign administrative permissions to the user in the service, such as Exchange Online, and then assign the service administrator role to the user in the Azure Management Portal.

  • User administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

What are you interested in?

  • Administrator permissions by role

  • Details about the global administrator role

  • Assign or remove administrator roles for an existing user

  • Assign or remove administrator roles for multiple users

Administrator permissions by role

The following table shows the administrator roles and their associated permissions.

Permission

Billing administrator

Global administrator

Password administrator

Service administrator

User administrator

View company and user information

Yes

Yes

Yes

Yes

Yes

Manage Office support tickets

Yes

Yes

Yes

Yes

Yes

Reset user passwords

No

Yes

Yes

No

Yes; with limitations. He or she cannot reset passwords for billing, global, and service administrators.

Perform billing and purchasing operations for Office products

Yes

Yes

No

No

No

Create and manage user views

No

Yes

No

No

Yes

Create, edit, and delete users and groups, and manage user licenses

No

Yes

No

No

Yes; with limitations. He or she cannot delete a global administrator or create other administrators.

Manage domains

No

Yes

No

No

No

Manage company information

No

Yes

No

No

No

Delegate administrative roles to others

No

Yes

No

No

No

Use directory synchronization

No

Yes

No

No

No

Details about the global administrator role

The global administrator has access to all administrative features. By default, the person who signs up for an Azure account on behalf of your organization automatically becomes the first global administrator in your tenant. Only global administrators can assign other administrator roles. There can be more than one global administrator at your organization. A global administrator has the following permissions in the directory:

  • View organization and user information

  • Manage Office support tickets

  • Reset user passwords

  • Perform billing and purchasing operations for Office products

  • Create and manage user views

  • Create, edit, and delete users and groups, and manage user licenses

  • Manage domains

  • Manage organization information

  • Delegate administrative roles to others

  • Use directory synchronization

Assign or remove administrator roles for an existing user

Use the following steps to assign or remove administrator roles for an existing user.

Note

Administrators who forget their passwords can use the password self-reset process to regain access to their accounts. To use this feature, both a mobile phone number that can receive a text message and an alternate email address that is not tied to your Azure subscription must be included with an administrator’s information.

To assign or remove an administrator role using the Azure Management Portal

  1. In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.

  2. On the Users page, click the display name of the user you want to edit.

  3. Select the Organizational Role drop-down menu, and then select the administrator role that you want to assign to this user, or select User if you want to remove an existing administrator role.

  4. In the Alternate Email Address box, type an email address. This email address is used for important notifications, including password self-reset, so the user must be able to access the email account whether or not the user can access Azure.

  5. Select Allow or Block to specify whether to allow the user to sign in and access services.

  6. Specify a location from the Usage Location drop-down list.

  7. When you have finished, click Save.

See Also

Reference

What are tenant administrator responsibilities?

Concepts

User management in Azure AD