Merge pull request #263308 from rolyon/rolyon-rbac-classic-admins-steps-retire

[Azure RBAC] Remove classic Co-Administrators

Author: denrea

articles/role-based-access-control/classic-administrators.md

@@ -1,33 +1,96 @@
 ---
 title: Azure classic subscription administrators
-description: Describes how to add or change the Azure Co-Administrator and Service Administrator roles, and how to view the Account Administrator.
+description: Describes how to remove or change the Azure Co-Administrator and Service Administrator roles, and how to view the Account Administrator.
 services: active-directory
 author: rolyon
 manager: amycolannino
 
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 06/07/2023
+ms.date: 01/26/2024
 ms.author: rolyon
 ms.reviewer: bagovind
 ---
 
 # Azure classic subscription administrators
 
 > [!IMPORTANT]
-> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
 
-Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you are still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator. For more information, see [Azure Resource Manager vs. classic deployment](../azure-resource-manager/management/deployment-models.md).
+Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you are still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator. For information about how to migrate your resources from classic deployment to Resource Manager deployment, see [Azure Resource Manager vs. classic deployment](../azure-resource-manager/management/deployment-models.md).
 
-This article describes how to add or change the Co-Administrator and Service Administrator roles, and how to view the Account Administrator.
+This article describes how to remove or change the Co-Administrator and Service Administrator roles, and how to view the Account Administrator.
+
+## Frequently asked questions
+
+Will Co-Administrators lose access after August 31, 2024?
+
+- Starting on August 31, 2024, Microsoft will start the process to remove access for Co-Administrators.
+
+What is the equivalent Azure role I should assign for Co-Administrators?
+
+- [Owner](built-in-roles.md#owner) role at subscription scope has the equivalent access. However, Owner is a [privileged administrator role](role-assignments-steps.md#privileged-administrator-roles) and grants full access to manage Azure resources. You should consider another Azure role with fewer permissions or reduce the scope.
+
+What should I do if I have a strong dependency on Co-Administrators?
+
+- Email [email protected] and describe your scenario.
+
+## View Co-Administrators
+
+Follow these steps to view the Co-Administrators for a subscription using the Azure portal.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
+
+1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
+
+1. Click **Access control (IAM)**.
+
+1. Click the **Classic administrators** tab to view a list of the Co-Administrators.
+
+    ![Screenshot that opens Classic administrators.](./media/shared/classic-administrators.png)
+
+## Assess Co-Administrators
+
+Use the following table to assess how to remove or re-assign Co-Administrators.
+
+| Assessment | Next steps|
+| --- | --- |
+| User no longer needs access | Follow steps to [remove Co-Administrator](#remove-a-co-administrator). |
+| User still needs some access, but not full access | 1. Determine the Azure role the user needs.<br/>2. Determine the scope the user needs.<br/>3. Follow steps to [assign an Azure role to user](role-assignments-portal.md).<br/>4. [Remove Co-Administrator](#remove-a-co-administrator). |
+| User needs the same access as a Co-Administrator | 1. Assign the [Owner role at subscription scope](role-assignments-portal-subscription-admin.md).<br/>2. [Remove Co-Administrator](#remove-a-co-administrator). |
+
+## Remove a Co-Administrator
+
+> [!IMPORTANT]
+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
+
+Follow these steps to remove a Co-Administrator.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
+
+1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
+
+1. Click **Access control (IAM)**.
+
+1. Click the **Classic administrators** tab to view a list of the Co-Administrators.
+
+1. Add a check mark next to the Co-Administrator you want to remove.
+
+1. Click **Remove**.
+
+1. In the message box that appears, click **Yes**.
+
+    ![Screenshot that removes co-administrator.](./media/classic-administrators/remove-coadmin.png)
 
 ## Add a Co-Administrator
 
-> [!TIP]
+> [!IMPORTANT]
+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
+> 
 > You only need to add a Co-Administrator if the user needs to manage Azure classic deployments by using [Azure Service Management PowerShell Module](/powershell/azure/servicemanagement/install-azure-ps). If the user only uses the Azure portal to manage the classic resources, you won’t need to add the classic administrator for the user.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as the Service Administrator or a Co-Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
 1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
 
@@ -74,24 +137,6 @@ Note that the [Azure built-in roles](../role-based-access-control/built-in-roles
 
 For information that compares member users and guest users, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md).
 
-## Remove a Co-Administrator
-
-1. Sign in to the [Azure portal](https://portal.azure.com) as the Service Administrator or a Co-Administrator.
-
-1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
-
-1. Click **Access control (IAM)**.
-
-1. Click the **Classic administrators** tab.
-
-1. Add a check mark next to the Co-Administrator you want to remove.
-
-1. Click **Remove**.
-
-1. In the message box that appears, click **Yes**.
-
-    ![Screenshot that removes co-administrator](./media/classic-administrators/remove-coadmin.png)
-
 ## Change the Service Administrator
 
 Only the Account Administrator can change the Service Administrator for a subscription. By default, when you sign up for an Azure subscription, the Service Administrator is the same as the Account Administrator.
@@ -135,7 +180,7 @@ For more information about Microsoft accounts and Microsoft Entra accounts, see
 
 You might want to remove the Service Administrator, for example, if they are no longer with the company. If you do remove the Service Administrator, you must have a user who is assigned the [Owner](built-in-roles.md#owner) role at subscription scope to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as a subscription Owner or a Co-Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
 1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
 

articles/role-based-access-control/rbac-and-directory-admin-roles.md

@@ -9,7 +9,7 @@ ms.assetid: 174f1706-b959-4230-9a75-bf651227ebf6
 ms.service: role-based-access-control
 ms.workload: identity
 ms.topic: overview
-ms.date: 12/01/2023
+ms.date: 01/26/2024
 ms.author: rolyon
 ms.custom: it-pro;
 ---
@@ -97,7 +97,7 @@ Several Microsoft Entra roles span Microsoft Entra ID and Microsoft 365, such as
 ## Classic subscription administrator roles
 
 > [!IMPORTANT]
-> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
 
 Account Administrator, Service Administrator, and Co-Administrator are the three classic subscription administrator roles in Azure. Classic subscription administrators have full access to the Azure subscription. They can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model APIs. The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator. Then, additional Co-Administrators can be added. The Service Administrator and the Co-Administrators have the equivalent access of users who have been assigned the Owner role (an Azure role) at the subscription scope. The following table describes the differences between these three classic subscription administrative roles.
 

articles/role-based-access-control/troubleshooting.md

@@ -8,7 +8,7 @@ ms.assetid: df42cca2-02d6-4f3c-9d56-260e1eb7dc44
 ms.service: role-based-access-control
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 12/01/2023
+ms.date: 01/26/2024
 ms.author: rolyon
 ms.custom: seohack1, devx-track-azurecli
 ---
@@ -611,7 +611,9 @@ If you're a Microsoft Entra Global Administrator and you don't have access to a
 ## Classic subscription administrators
 
 > [!IMPORTANT]
-> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
+> Classic resources and classic administrators will be [retired on August 31, 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Starting February 26, 2024, you won't be able to add new Co-Administrators. Remove unnecessary Co-Administrators and use Azure RBAC for fine-grained access control.
+>
+> For more information, see [Azure classic subscription administrators](classic-administrators.md).
 
 ## Next steps