I recently received a question along the lines of “I’m a co-admin on an Azure subscription, so I should have access to everything, but I can’t modify the directory. Why not?”
Here was my answer:
Azure Subscriptions are a billing and security container.
Azure Subscriptions contain resources like blob containers, VMs, etc.
Azure Directory is an identity container.
Azure Directories can:
- Define a user account (org id)
- Reference a user account from another directory (foreign principal org id)
- Reference a Microsoft Account
An Azure Directory is not a resource. It lives outside the subscription, on its own.
Every Azure Subscription is linked to an Azure Directory as the place that it reads its identities from.
“Co-owner” is a security role applied at the Azure Subscription level, granting control of the resources within that subscription.
Generally, we should be granting less co-admin rights in the old portal, and focussing on RBAC-based grants in the new portal instead. (They’re more finely grained, to a specific resource, resource group, or set of actions.)
Because an Azure Directory is not a resource, and does not live in the subscription, the co-owner concept does not apply to it.
“User administrator” and “Global administrator” are security roles applied at the Azure Directory level. They relate only to the directory, and not any linked subscriptions.
VSTS Accounts are another stand-alone entity.
A VSTS Account can be linked to an Azure Subscription, so that charges can flow to the Azure subscription. If it is not linked, then there’s no way to use any paid services (as VSTS doesn’t have its own commerce system).
A VSTS Account can be linked to an Azure Directory. This is essentially like “domain joining” a PC; it opts you into a number of management advantages. If it is not linked, then you can only use Microsoft Accounts for sign-in, and it essentially maintains its own lightweight identity store in lieu of the directory.
All Azure Subscriptions are part of an Azure Account. This is where the billing information is maintained.
All Azure Accounts have a Service Administrator and an Account Owner. These are security roles applied at the Account level. They do not grant any rights into the subscriptions, directories, or VSTS accounts (as they are all different, independent entities).
When you login to https://portal.azure.com, you login with an identity that’s in the context of a directory. You can see your current directory context top-right. You will see the different resources which are within subscriptions that are linked to your current directory. You may have no subscriptions at all, in which case you just see the directory but an otherwise empty portal.
When you login to https://manage.windowsazure.com, you must always be in the context of a subscription. (Old portal, old rules.) You will see all of the directories that you have access to as a user, regardless of which subscription context you’re in. Even if you have access to a directory, but you are just lacking a subscription, they will boot you out of the portal with an error about having no subscriptions. To work around this, we grant everybody at Readify co-admin access to an “Authentication Helper” subscription. It’s empty, but it lets you login with your OrgId and then swap to the other directory that you were actually looking for. I really dislike the old portal.
Clear as mud? 🙂
Tatham Oddie 