Assign a user as an administrator of an Azure subscription with conditions

To assign Azure roles, you must have:

• Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator or User Access Administrator

Follow these steps:

1. Sign in to the Azure portal.

2. In the Search box at the top, search for subscriptions.

3. Click the subscription you want to use.

   The following shows an example subscription.

   

Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.

1. Click Access control (IAM).

   The following shows an example of the Access control (IAM) page for a subscription.

   

2. Click the Role assignments tab to view the role assignments at this scope.

3. Click Add > Add role assignment.

   If you don't have permissions to assign roles, the Add role assignment option will be disabled.

   

   The Add role assignment page opens.

The Owner role grant full access to manage all resources, including the ability to assign roles in Azure RBAC. You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.

1. On the Role tab, select the Privileged administrator roles tab.

   

2. Select the Owner role.

3. Click Next.

Follow these steps:

1. On the Members tab, select User, group, or service principal.

   

2. Click Select members.

3. Find and select the user.

   You can type in the Select box to search the directory for display name or email address.

   

4. Click Save to add the user to the Members list.

5. In the Description box enter an optional description for this role assignment.

   Later you can show this description in the role assignments list.

6. Click Next.

Since the Owner role is a highly privileged role, Microsoft recommends you add a condition to constrain the role assignment.

1. On the Conditions tab under What user can do, select the Allow user to only assign selected roles to selected principals (fewer privileges) option.

   

2. Select Select roles and principals.

   The Add role assignment condition page appears with a list of condition templates.

   

3. Select a condition template and then select Configure.

   Condition template	Select this template to
   Constrain roles	Allow user to only assign roles you select
   Constrain roles and principal types	Allow user to only assign roles you select Allow user to only assign these roles to principal types you select (users, groups, or service principals)
   Constrain roles and principals	Allow user to only assign roles you select Allow user to only assign these roles to principals you select

   Tip

   If you want to allow most role assignments, but don't allow specific role assignments, you can use the advanced condition editor and manually add a condition.

4. In the configure pane, add the required configurations.

   

5. Select Save to add the condition to the role assignment.

Follow these steps:

1. On the Review + assign tab, review the role assignment settings.

2. Click Review + assign to assign the role.

   After a few moments, the user is assigned the Owner role for the subscription.