Upgrade Classic Azure Administrator Roles by August 2024

Posted on by Tony Redmond

Azure Transitions Administrative Roles to Azure RBAC Roles

On March 11, Microsoft sent a note to Azure administrators titled “Transition to role-based access control (RBAC) in Azure by 31 August 2024.” The note pointed to an article explaining that Microsoft will retire Azure’s classic deployment model on the same date in favor of Azure Resource Model.

Microsoft 365 Consumes a Surprising Amount of Azure

Like many Microsoft 365 administrators, I labor under the illusion that I don’t use Azure all that much. Then I realized that I use:

And of course, Teams consumes a mass of Azure services and Copilot for Microsoft 365 executes queries against Large Language Modules running in Azure.

In short, despite thinking that my Azure administration needs were minimal, I use Azure for different reasons and the number of those reasons has grown steadily over the last five years. I suspect that this is the same for other tenants. I therefore needed to pay attention to Microsoft’s email telling me to transition classic administrative roles (Co-administrator and Service administrator are the two roles called out) before August 31.

Finding Classic Administrative Roles

I followed the documented steps to access the Azure Portal, select my subscription, and use the IAM option to find classic administrators (Figure 1).

Listing holders of classic Azure administrator roles. Azure RBAC roles
Figure 1: Listing holders of classic Azure administrator roles

It came as no surprise that my account was listed as the service administrator. When you sign up for an Azure subscription, the account used automatically assumes the service administrator role. The account also is the account administrator. The difference between the two roles is that the service administrator can cancel subscriptions. If needed, the account administrator can grant themselves the service administrator role and become all-powerful. As few accounts as possible should possess such powerful roles.

Azure wants to get away from all-powerful roles and use roles that more accurately reflect the granular nature of the work individuals need to do. This is the principle of RBAC. Within Azure RBAC, the Owner role (limited to the scope of a subscription) is the equivalent of a co-administrator. However, the changeover to RBAC creates an opportunity to assess why user accounts have the co-administrator role and what tasks they perform that require them to possess such a role. It’s possible that one of the Azure RBAC roles is better suited to the work that an individual does. If so, they should be assigned that role.

Switching to Azure RBAC Roles

Being a small and relatively simple tenant, reviewing the current roles and reassigning new roles was straightforward. Instead of the classic service administrator role, my account now has the Owner RBAC role. Instead of the co-administrator role, I assigned the Contributor RBAC role.

I assigned the Azure RBAC roles two weeks ago. Everything has worked perfectly since, and no one has complained that they’re missing the ability to do something. No doubt I am lucky in that respect!

On a serious note, the experience demonstrated that Microsoft 365 has a huge and growing dependency on Azure that tenant administrators should pay attention to. Although it’s not compulsory to be a master of Azure, it does pay to have a workable acquaintance with how Azure works and how to manage the parts that you use.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.