Overview
Service Administrator is a “classic” role. The role provides access to an Azure subscription only if the user exists in the Azure Active Directory where the subscription resides. The role is not needed and can be removed without any impact. In fact, Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC).
However, if you choose to use it anyway, you may have need to change the Service Administrator. This article outlines the options for doing so, though none of them are particularly easy to implement.
Recommended Approach: Remove the Service Administrator (Non-Disruptive and Self-Service)
Because RBAC controls provide the same abilities, our recommendation should a Service Administrator leave the organization is to simply delete the Service Administrator. Any user with “Owner Role” on the subscription can delete the Service Administrator from the Classic Administrator subscription menu. Since the role is not needed this option has no business impact and is the easiest and recommended option. Detailed instructions are available at Microsoft’s article Remove the Service Administrator
Option: Transfer Subscription to Another AAD (Disruptive but Self-Service)
When a subscription is transferred between Azure Active Directories, the Service Administrator is changed to the person who transfers the subscription. Therefore, transferring a subscription to another Azure Active Directory will allow you to switch the Service Administrator. Once done, you can transfer it back to the original AAD. However, transferring a Subscription between AAD will remove all RBAC and can have significant impacts on the Subscription. Before pursuing this method, ensure you understand the impacts as described in the Microsoft article Understand the impact of transferring a subscription
Option: Grant CID Co-Ownership rights to change the Service Administrator (Non-Disruptive but Not Self-Service)
Within the NTT Enterprise Agreement, it is possible for the EA Billing Account Administrator (CID personnel) to change the Service Administrator in-place with no impact to the Subscription. However, this will require CID personnel to be given RBAC role of “Owner” on the subscription, since the Billing Account Administrator by default has no operational access to the subscription.
Pursuing this option will involve the following steps:
- Refer to Subscription > Properties to see the current EA Account Administrator. Assign this EA Account Administrator “Owner” rights to the subscription.
- Identify the Azure Active Directory DNS name e.g. contoso.onmicrosoft.com.
- Open a Support Case with CID Support. The case will be assigned to our EA Account Administrator to process.
- The new user you want us to assign as the Service Administrator
- Azure AD DNS name e.g. contoso.onmicrosoft.com
- Confirmation of Owner role that was granted to the subscription
- CID will update the support case once the Service Administrator is changed
- Once complete, the EA Account Administrator “Owner” role can removed from the subscription and the EA Account Administrator user should be deleted from your Azure Active Directory.