Export (0) Print
Expand All

Assigning administrator roles

Published: October 1, 2013

Updated: June 16, 2014

Applies To: Azure

CautionCaution
When you assign an admin role using any of the portals (or cmdlets), it is important you understand that this change will be tenant-wide, so assigning an admin role in one portal will grant the user the same permissions across all of the services that your organization has subscribed to. For more information about how your tenant works, see Administering your Azure AD directory.

Depending on the size of your company, you may want to designate several administrators who serve different functions. These administrators will have access to various features in the Azure Management Portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains, among other things.

The following administrator roles are available:

  • Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

  • Global administrator: Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

  • Password administrator: Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

  • Service administrator: Manages service requests and monitors service health.

    noteNote
    To assign the service administrator role to a user, the global administrator must first assign administrative permissions to the user in the service, such as Exchange Online, and then assign the service administrator role to the user in the Azure Management Portal.

  • User administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

The following table shows the administrator roles and their associated permissions.

 

Permission

Billing administrator

Global administrator

Password administrator

Service administrator

User administrator

View company and user information

Yes

Yes

Yes

Yes

Yes

Manage Office support tickets

Yes

Yes

Yes

Yes

Yes

Reset user passwords

No

Yes

Yes

No

Yes; with limitations. He or she cannot reset passwords for billing, global, and service administrators.

Perform billing and purchasing operations for Office products

Yes

Yes

No

No

No

Create and manage user views

No

Yes

No

No

Yes

Create, edit, and delete users and groups, and manage user licenses

No

Yes

No

No

Yes; with limitations. He or she cannot delete a global administrator or create other administrators.

Manage domains

No

Yes

No

No

No

Manage company information

No

Yes

No

No

No

Delegate administrative roles to others

No

Yes

No

No

No

Use directory synchronization

No

Yes

No

No

No

The global administrator has access to all administrative features. By default, the person who signs up for an Azure account on behalf of your organization automatically becomes the first global administrator in your tenant. Only global administrators can assign other administrator roles. There can be more than one global administrator at your organization. A global administrator has the following permissions in the directory:

  • View organization and user information

  • Manage Office support tickets

  • Reset user passwords

  • Perform billing and purchasing operations for Office products

  • Create and manage user views

  • Create, edit, and delete users and groups, and manage user licenses

  • Manage domains

  • Manage organization information

  • Delegate administrative roles to others

  • Use directory synchronization

Use the following steps to assign or remove administrator roles for an existing user.

noteNote
Administrators who forget their passwords can use the password self-reset process to regain access to their accounts. To use this feature, both a mobile phone number that can receive a text message and an alternate email address that is not tied to your Azure subscription must be included with an administrator’s information.

  1. In the Management Portal, click Active Directory, and then click on the name of your organization’s directory.

  2. On the Users page, click the display name of the user you want to edit.

  3. Select the Organizational Role drop-down menu, and then select the administrator role that you want to assign to this user, or select User if you want to remove an existing administrator role.

  4. In the Alternate Email Address box, type an email address. This email address is used for important notifications, including password self-reset, so the user must be able to access the email account whether or not the user can access Azure.

  5. Select Allow or Block to specify whether to allow the user to sign in and access services.

  6. Specify a location from the Usage Location drop-down list.

  7. When you have finished, click Save.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft