Azure classic subscription administrators

Important

As of August 31, 2024, Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. If you still have active Co-Administrator or Service Administrator role assignments, convert these role assignments to Azure RBAC immediately.

Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). If you're still using the classic deployment model, you'll need to migrate your resources from classic deployment to Resource Manager deployment. For more information, see Azure Resource Manager vs. classic deployment.

This article describes the retirement of the Co-Administrator and Service Administrator roles and how to convert these role assignments.

Frequently asked questions

What happens to classic administrator role assignments after August 31, 2024?

  • Co-Administrator and Service Administrator roles are retired and no longer supported. You should convert these role assignments to Azure RBAC immediately.

How do I know what subscriptions have classic administrators?

  • You can use an Azure Resource Graph query to list subscriptions with Service Administrator or Co-Administrator role assignments. For steps see List classic administrators.

What is the equivalent Azure role I should assign for Co-Administrators?

  • Owner role at subscription scope has the equivalent access. However, Owner is a privileged administrator role and grants full access to manage Azure resources. You should consider a job function role with fewer permissions, reduce the scope, or add a condition.

What is the equivalent Azure role I should assign for Service Administrator?

  • Owner role at subscription scope has the equivalent access.

Why do I need to migrate to Azure RBAC?

  • Azure RBAC offers fine grained access control, compatibility with Microsoft Entra Privileged Identity Management (PIM), and full audit logs support. All future investments will be in Azure RBAC.

What about the Account Administrator role?

  • The Account Administrator is the primary user for your billing account. Account Administrator isn't being deprecated and you don't need to convert this role assignment. Account Administrator and Service Administrator might be the same user. However, you only need to convert the Service Administrator role assignment.

What should I do if I lose access to a subscription?

  • If you remove your classic administrators without having at least one Owner role assignment for a subscription, you will lose access to the subscription and the subscription will be orphaned. To regain access to a subscription, you can do the following:

What should I do if I have a strong dependency on Co-Administrators or Service Administrator?

List classic administrators

Follow these steps to list the Service Administrator and Co-Administrators for a subscription using the Azure portal.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab to view a list of the Co-Administrators.

    Screenshot of Access control (IAM) page with Classic administrators tab selected.

Co-Administrators retirement

If you still have classic administrators, use the following steps to help you convert Co-Administrator role assignments.

Step 1: Review your current Co-Administrators

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Use the Azure portal or Azure Resource Graph to list of your Co-Administrators.

  3. Review the sign-in logs for your Co-Administrators to assess whether they're active users.

Step 2: Remove Co-Administrators that no longer need access

  1. If user is no longer in your enterprise, remove Co-Administrator.

  2. If user was deleted, but their Co-Administrator assignment wasn't removed, remove Co-Administrator.

    Users that have been deleted typically include the text (User was not found in this directory).

    Screenshot of user not found in directory and with Co-Administrator role.

  3. After reviewing activity of user, if user is no longer active, remove Co-Administrator.

Step 3: Convert Co-Administrators to job function roles

Most users don't need the same permissions as a Co-Administrator. Consider a job function role instead.

  1. If a user still needs some access, determine the appropriate job function role they need.

  2. Determine the scope user needs.

  3. Follow steps to assign a job function role to user.

  4. Remove Co-Administrator.

Step 4: Convert Co-Administrators to Owner role with conditions

Some users might need more access than what a job function role can provide. If you must assign the Owner role, consider adding a condition or using Microsoft Entra Privileged Identity Management (PIM) to constrain the role assignment.

  1. Assign the Owner role with conditions.

    For example, assign the Owner role at subscription scope with conditions. If you have PIM, make the user eligible for Owner role assignment.

  2. Remove Co-Administrator.

Step 5: Convert Co-Administrators to Owner role

If a user must be an administrator for a subscription, assign the Owner role at subscription scope.

How to convert a Co-Administrator to Owner role

The easiest way to covert a Co-Administrator role assignment to the Owner role at subscription scope is to use the Remediate steps.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab to view a list of the Co-Administrators.

  5. For the Co-Administrator you want to convert to the Owner role, under the Remediate column, select the Assign RBAC role link.

  6. In the Add role assignment pane, review the role assignment.

    Screenshot of Add role assignment pane after selecting Assign RBAC role link.

  7. Select Review + assign to assign the Owner role and remove the Co-Administrator role assignment.

How to remove a Co-Administrator

Follow these steps to remove a Co-Administrator.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab to view a list of the Co-Administrators.

  5. Add a check mark next to the Co-Administrator you want to remove.

  6. Select Delete.

  7. In the message box that appears, select Yes.

    Screenshot of message box when removing a Co-Administrator.

Service Administrator retirement

If you still have classic administrators, use the following steps to help you convert the Service Administrator role assignment. Before you remove the Service Administrator, you must have at least one user who is assigned the Owner role at subscription scope without conditions to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.

Step 1: Review your current Service Administrator

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Use the Azure portal or Azure Resource Graph to list your Service Administrator.

  3. Review the sign-in logs for your Service Administrator to assess whether they're an active user.

Step 2: Review your current Billing account owners

The user that is assigned the Service Administrator role might also be the same user that is the administrator for your billing account. You should review your current Billing account owners to ensure they are still accurate.

  1. Use the Azure portal to get your Billing account owners.

  2. Review your list of Billing account owners. If necessary, update or add another Billing account owner.

Step 3: Convert Service Administrator to Owner role

Your Service Administrator might be a Microsoft account or a Microsoft Entra account. A Microsoft account is a personal account such as Outlook, OneDrive, Xbox LIVE, or Microsoft 365. A Microsoft Entra account is an identity created through Microsoft Entra ID.

  1. If Service Administrator user is a Microsoft account and you want this user to keep the same permissions, convert the Service Administrator to Owner role.

  2. If Service Administrator user is a Microsoft Entra account and you want this user to keep the same permissions, convert the Service Administrator to Owner role.

  3. If you want to change the Service Administrator user to a different user, assign the Owner role to this new user at subscription scope without conditions. Then, remove the Service Administrator.

How to convert the Service Administrator to Owner role

The easiest way to convert the Service Administrator role assignment to the Owner role at subscription scope is to use the Remediate steps.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab to view the Service Administrator.

  5. For the Service Administrator, under the Remediate column, select the Assign RBAC role link.

  6. In the Add role assignment pane, review the role assignment.

    Screenshot of Add role assignment pane after selecting Assign RBAC role link.

  7. Select Review + assign to assign the Owner role and remove the Service Administrator role assignment.

How to remove the Service Administrator

Important

To remove the Service Administrator, you must have a user who is assigned the Owner role at subscription scope without conditions to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.

  1. Sign in to the Azure portal as an Owner of a subscription.

  2. Open Subscriptions and select a subscription.

  3. Select Access control (IAM).

  4. Select the Classic administrators tab.

  5. Add a check mark next to the Service Administrator.

  6. Select Delete.

  7. In the message box that appears, select Yes.

    Screenshot of remove classic administrator message when removing a Service Administrator.

Next steps