Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To make a user an administrator of an Azure subscription, you assign them the Owner role at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. Since the Owner role is a highly privileged role, Microsoft recommends you add a condition to constrain the role assignment. For example, you can allow a user to only assign the Virtual Machine Contributor role to service principals.
This article describes how to assign a user as an administrator of an Azure subscription with conditions. These steps are the same as any other role assignment.
Prerequisites
To assign Azure roles, you must have:
Microsoft.Authorization/roleAssignments/writepermissions, such as Role Based Access Control Administrator or User Access Administrator
Step 1: Open the subscription
Follow these steps:
Sign in to the Azure portal.
In the Search box at the top, search for subscriptions.
Click the subscription you want to use.
The following shows an example subscription.
Step 2: Open the Add role assignment page
Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.
Click Access control (IAM).
The following shows an example of the Access control (IAM) page for a subscription.
Click the Role assignments tab to view the role assignments at this scope.
Click Add > Add role assignment.
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
The Add role assignment page opens.
Step 3: Select the Owner role
The Owner role grant full access to manage all resources, including the ability to assign roles in Azure RBAC. You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.
On the Role tab, select the Privileged administrator roles tab.
Select the Owner role.
Click Next.
Step 4: Select who needs access
Follow these steps:
On the Members tab, select User, group, or service principal.
Click Select members.
Find and select the user.
You can type in the Select box to search the directory for display name or email address.
Click Save to add the user to the Members list.
In the Description box enter an optional description for this role assignment.
Later you can show this description in the role assignments list.
Click Next.
Step 5: Add a condition
Since the Owner role is a highly privileged role, Microsoft recommends you add a condition to constrain the role assignment.
On the Conditions tab under What user can do, select the Allow user to only assign selected roles to selected principals (fewer privileges) option.
Select Select roles and principals.
The Add role assignment condition page appears with a list of condition templates.
Select a condition template and then select Configure.
Condition template Select this template to Constrain roles Allow user to only assign roles you select Constrain roles and principal types Allow user to only assign roles you select
Allow user to only assign these roles to principal types you select (users, groups, or service principals)Constrain roles and principals Allow user to only assign roles you select
Allow user to only assign these roles to principals you selectTip
If you want to allow most role assignments, but don't allow specific role assignments, you can use the advanced condition editor and manually add a condition.
In the configure pane, add the required configurations.
Select Save to add the condition to the role assignment.
Step 6: Assign role
Follow these steps:
On the Review + assign tab, review the role assignment settings.
Click Review + assign to assign the role.
After a few moments, the user is assigned the Owner role for the subscription.
