Skip to main content

Changing Service Admin Account in your Azure Subscription

By default, when you deploy your new Azure subscription the "Service administrator" is the same as "Account administrator" which means that this account has permissions to both the EA portal and the Azure portal. For us we had to change this as Azure Account team didn't need access to the Azure portal. To change this, it was a simple process as both the Service administrator and Account administrator is the same user. 
 
First go to https://portal.azure.com with the account that you used to sign up for the subscription then head to subscriptions and locate your subscription. If we want to check to make sure you are logged in as the "Service Administrator" then click "subscriptions" then go to "Access control (IAM)" then "Classic administrators" tab and you should see the your account there with the role of "Service administrator".
As we are still in the subscription blade click on "properties" and click on "Service Admin"
On this screen enter the email address you would like to assign to the "Service Admin" account and click "OK". Please be aware it does not check if the account exists.

You may need to give it a bit of time by clicking around other parts of the subscription or sections of the subscription blade. Afterwards if you go back to the subscription properties you should see that the "Service Administrator" should have changed to the account you have specified. You can also go to  "Access control (IAM)" then "Classic administrators" tab and that should of changed to the new account you specified.

Remember once you have changed it the "Account administrator" will lose access to the Azure Portal which is the affect that I was after. 

Now the tricky bit is that we wish to change the "Service administrator" now as the user ([email protected]) will be leaving the organisation so how do we do this? Well you need to check again at subscriptions > Properties and see who is the "Account administrator". Next check if they have "owner" permissions or "Co-Administrator" role within the Azure portal by either logging in as them or go to the subscription "Access control (IAM)". You have 3 options to check the permissions.

"Check access" tab, if you want to check against the account you are logged in as then click "view my access" otherwise find the user account you would like to check then once you have located it then click on the name. You will have a new pop up blade which will display the permissions

You can see from the above image that "Kin Yung" account has the relevant permissions (Owner or Co-Administrator).

The other two options are "Role Assignment" where you must see if the account is listed with "owner" permission. Under "Classic administrators" you will be looking to see that it is listed as "co-administrator"

If the account doesn't have permissions then they need to ask someone to temporary assign them the either the role of "owner" or "co-administrator". You can do this by going to the subscription > "Access control (IAM)" then "Add". Select either "Add role assignment" or "Add co-administrator"

If you select "Add role assignment" then make sure the role as "owner" and then search for the user account in your directory to be assigned the role.


Please Note: According to Microsoft documentation Contributor only "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC" so you will need to grant the user "owner" permissions

If the user logged in doesn't have permissions, you will see the "Service admin" button greyed so you need to make sure that the account has permissions by doing one of the options above.

 

Once you have granted the "Account Administrator" permissions to Azure portal then they can log in and change the "Service Administrator" to the desired account following the steps above.

Remember once you have finished this work to remove the account from "owner" or "co-administrator" permissions from the Azure portal. 

Although Microsoft states that "Service Administrator" account is for classic Azure but I feel it's best to use an account that is valid in case there is something that needs to use it. 

You can assign additional "co-administrator" by going to the subscription and selecting
"Access control (IAM)". Click on "Add co-administrator"


Now select the accounts that you wish to add as co-administrators from your directory and click "OK"

Once added go to the "Classic Administrator" tab and you should see the new account you have added and it will be listed as "Co-Administrator"




Comments

Popular posts from this blog

Rolling back a version of ESXi

There is an option in VMware where after you have performed an major upgrade of ESXi you can roll back to your previous version. The benefit of this is that you would not need to reinstall your ESXi and its configuration if you had issues with the new software. I had to do this on one occassion in my lab where I upgraded from 6.5 to 6.7 and my VMs would not run because the CPU was not supported in 6.7. Please remember if you are using ISO method to upgrade ESXi please ensure you select "Upgrade ESXi, preserve VMFS datastore". Selecting "Install ESXi, preserve VMFS datastore" does not mean preserving datastore means retaining ESXi as it will still do a clean install of ESXi. This method does not work for vSphere 7.0 as there are changes to the partitions on the boot device. Below are the steps to roll back to a previous version which is quite straight forward. As always perform an backup of your host configuration before you upgrade or rollback ( KB2042141 ). I have

Configuring ESXi 6 host to send logs to Syslog Server

In my previous post I talked about configuring VMware Syslog server for Windows which is installed and enabled by default on installation of vCenter 6 for Windows. I will now describe the basic configuration that is required on an ESXi 6 host to be able to send logs out to a syslog server using my vCenter as the example. 1) Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Advanced System Settings". Look for the settings "Syslog.global.loghost" and highlight this settings. Click the pencil icon to edit the configuration for this setting. 2) You can now add the host name or ip address of your syslog server/s. You can enter just hostname or IP address, use udp://hostname:514 or ssl://hostname:1514 to be more specific on the port and protocol to be used. If you have multiple hosts then you use the comma (,) to separate each server i.e. udp://192.168.0.1:514,udp://192.168.0.2:514 3)We n

Access vSphere Web client blank page in Chrome

Today I came across in my LAB where when I tried to access my vSphere Web Client in chrome and I just get a blank web page with no error message. At first I thought my vCenter Web client service was having issues and did a couple of restart. I then decided to use firefox and internet explorer to make sure it was not a browser problem and it appeared to work in the other browsers. Next I decided to clear all the cache in Chrome and it still didn't work at all !!!. Last resort for me was to try and reset the browser settings to their original defaults which worked. So to reset the browser settings to default you need to: Open chrome > Open Settings > Show Advanced Settings > Reset browser Settings > Reset Close Chrome and open again and if you was using self-signed certificates click "Proceed anyway" Just a word of warning of reset browser settings where you will lose all your settings. There is an article on VMware website but it is for issues with acc