SALES: 1-800-867-1380

Manage Accounts, Subscriptions, and Administrative Roles

Updated: June 9, 2015

This topic explains Microsoft Azure accounts, subscriptions, and administrative roles for users who need access to Azure to manage services. These features help you control access to the resources, usage, and billing information for services you build and run on Azure. Don’t confuse this access with enabling access to end-users of your service.

In this topic

This topic does not explain how to sign up for an Azure account. For information about Azure purchase options, see Purchase Options, Free Trial, and Member Offers (for members of MSDN, Microsoft Partner Network, and BizSpark, and other Microsoft programs).

An Azure account determines how Azure usage is reported and who the Account Administrator is.

Subscriptions help you organize access to cloud service resources. They also help you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by department, project, regional office, and so on. Every cloud service belongs to a subscription, and the subscription ID may be required for programmatic operations.

Accounts and subscriptions are created at the Azure Account Center. The person who creates the account is the Account Administrator for all subscriptions created in that account. That person is also the default Service Administrator for the subscription.

The following graphic depicts the primary role that the Account Administrator plays in creating and managing Azure subscriptions.

Azure Account Admin and Service Admin relationship

Account Administrators using a Microsoft account must log in every 2 years (or more frequently) to keep the account active. Inactive accounts are cancelled and the related subscriptions removed. There are no login requirements if using a work or school account.

There are three roles related to Azure accounts and subscriptions:


Administrative role Limit Summary

Account Administrator

1 per Azure account

Authorized to access the Account Center (create subscriptions, cancel subscriptions, change billing for a subscription, change Service Administrator, and more)

Service Administrator

1 per Azure subscription

Authorized to access Azure Management Portal for all subscriptions in the account. By default, same as the Account Administrator when a subscription is created.


200 per subscription (in addition to Service Administrator)

Same as Service Administrator, but can’t change the association of subscriptions to Azure directories.

The Account Administrator for a subscription is the only person with access to the Account Center. The Account Administrator does not have any other access to services in that subscription; they need to also be the Service Administrator or a co-administrator for that. For security reasons, the Account Administrator for a subscription can only be changed with a call to Azure support. The Account Administrator can easily reassign the Service Administrator for a subscription at the Account Center at any time.

The Service Administrator is the first co-administrator for a subscription. Like other co-administrators, the Service Administrator has management access to cloud resources using the Azure Management Portal, as well as tools like Visual Studio, other SDKs, and command line tools like PowerShell. The Service Administrator can also add and remove other co-administrators.

The following graphic depicts basic access and management rights for these administrator roles.

Azure Account, Service and CoAdmin relationship

Crucial differences between the service administrator and co-administrators:

  • Co-administrators can’t delete the Service Administrator from the Azure Management Portal. Only the Account Administrator can change this assignment at the Account Center.

  • The Service Administrator is the only user authorized to change a subscription’s association with a directory in the Azure Management Portal.

Access to Azure begins with a User ID, which is an email and password combination that Azure uses to authenticate users. User IDs come in two forms: Microsoft accounts and work or school accounts.

  • Microsoft accounts take the form <user> <user> or <user>

  • Work or school accounts take the form or, for example. “Contoso” can be any domain name.

Work or school accounts are different from Microsoft accounts because they are sourced from Azure Active Directory. Because work or school accounts are created from within Azure Active Directory, you have more options for managing them. For example, work or school accounts can be supplemented with multi-factor authentication, which requires the user to enter additional information to verify their identity.

So, as a general rule, use work or school accounts whenever you need to assign administrative access to Azure. Every Azure subscription has a default directory that you can use to create work or school accounts.

The Azure Management portal and most client tools for services, such as Visual Studio or PowerShell, support account-based authentication. This is a token-based authentication scheme, requiring nothing more than the user to enter their User ID. However, account-based authentication to Windows Azure when you use tools running on a client is a relatively new capability. Before this, having a management certificate for a subscription on the client was the only way to authenticate. This certificate-based authentication involves accessing a special web site with your User ID to download a subscription file (formerly known as a publishsettings file), which has information about the subscriptions you can access and their certificates, and then referencing that file or the certificates from your tools. You could also create the certificate yourself, upload it to the Azure Management portal, and then reference it in the same way.

This method is complicated, error prone, and requires a public key infrastructure (PKI) to be adequately secure.

Certificate-based authentication for management functions is still supported--and some Azure services may still require it--but this is more complicated and less secure than account-based management. It’s also easy to confuse this certificate-based authentication for service management functions with certificate-based authentication that enables programs and people to use your services while they’re running.

For these reasons, choose account-based authentication over certificate-based authentication for service management functions whenever you can.

Account-based authentication relies on tokens issued by an authentication provider, and the authentication provider chooses the lifespan of the token, which could be as short as a day or as long as weeks. When the token expires, a user will need to sign in again. If you need persistent client access to service management functions--for example, for long-running integrated deployment scripts or code projects--certificate-based management may be the right choice.

See the Microsoft Azure SDK Release Notes.

In general, the more administrators you have, the more you need to be concerned about guidelines and best practices. Even if your services today are small and have few administrators, as your services grow, by following best practices in subscription and account management will help you to maintain order during that growth.

Use work or school accounts for all administrative roles. This enables you to harness the power of Azure Active Directory for governance. You can use directories to manage users and delegate assignment as appropriate for your business.

Any time you add or change an administrative role assignment, use the same domain name you are logged in with. For example, if you’re an Account Administrator in the domain, and you re-assign the Service Administrator for a subscription, add them with a User ID in the domain. Do the same if you’re adding co-administrators in the Azure Management Portal.

Create a different subscription for each service and give each subscription a unique name. This enables you to view usage and control access to each service granularly.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft