Cloud Computing

Administrator Roles in Azure AD

In various Azure projects we needed to assign certain roles to our users in Azure AD. Main thing is to understand their tasks and scope of responsibilities. Azure gives us a few roles which give users to access various features such as managing subscriptions, assigning other administrator roles, password reset, managing service requests and managing user account. When we assign these roles to users, they will access all these features across all of the cloud services that your organization has subscribed to. This is very important to bear in mind.

admin

The following administrator roles are available:

  • Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors service health.
  • Global administrator: Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.
  • Password administrator: Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.
  • Service administrator: Manages service requests and monitors service health.
    Note: To assign the service administrator role to a user, the global administrator must first assign administrative permissions to the user in the service, such as Exchange Online, and then assign the service administrator role to the user in the Azure classic portal.
  • User administrator: Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

Administrator permissions

Billing administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Perform billing and purchasing operations for Office products

Reset user passwords

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Global administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Perform billing and purchasing operations for Office products

Reset user passwords

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Enable or disable multi-factor authentication

N/A

Password administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Reset user passwords

Perform billing and purchasing operations for Office products

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Service administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Reset user passwords

Perform billing and purchasing operations for Office products

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

User administrator

Can do Cannot do
View company and user information

Manage Office support tickets

Reset user passwords, with limitations. He or she cannot reset passwords for billing, global, and service administrators.

Create and manage user views

Create, edit, and delete users and groups, and manage user licenses, with limitations. He or she cannot delete a global administrator or create other administrators.

Perform billing and purchasing operations for Office products

Manage domains

Manage company information

Delegate administrative roles to others

Use directory synchronization

Enable or disable multi-factor authentication

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s