MicrosoftDocs
diff --git a/‎articles/role-based-access-control/media/role-assignments-portal-subscription-admin/condition-constrained-owner.png
38.4 KB b/‎articles/role-based-access-control/media/role-assignments-portal-subscription-admin/condition-constrained-owner.png
38.4 KB
diff --git a/‎articles/role-based-access-control/media/role-assignments-portal-subscription-admin/sub-role-assignments-owner.png
8.88 KB b/‎articles/role-based-access-control/media/role-assignments-portal-subscription-admin/sub-role-assignments-owner.png
8.88 KB
diff --git a/‎articles/role-based-access-control/role-assignments-portal-subscription-admin.md
Lines changed: 36 additions & 6 deletions b/‎articles/role-based-access-control/role-assignments-portal-subscription-admin.md
Lines changed: 36 additions & 6 deletions
@@ -1,20 +1,22 @@
 ---
-title: Assign a user as an administrator of an Azure subscription - Azure RBAC
-description: Learn how to make a user an administrator of an Azure subscription using the Azure portal and Azure role-based access control (Azure RBAC).
+title: Assign a user as an administrator of an Azure subscription with conditions - Azure RBAC
+description: Learn how to make a user an administrator of an Azure subscription with conditions using the Azure portal and Azure role-based access control (Azure RBAC).
 services: active-directory
 author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 05/10/2023
+ms.date: 01/30/2024
 ms.author: rolyon
 ms.custom: subject-rbac-steps
 ---
 
-# Assign a user as an administrator of an Azure subscription
+# Assign a user as an administrator of an Azure subscription with conditions
 
-To make a user an administrator of an Azure subscription, assign them the [Owner](built-in-roles.md#owner) role at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. These steps are the same as any other role assignment.
+To make a user an administrator of an Azure subscription, you assign them the [Owner](built-in-roles.md#owner) role at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. Since the Owner role is a highly privileged role, Microsoft recommends you add a condition to constrain the role assignment. For example, you can allow Alice to only assign the Virtual Machine Contributor role to service principals.
+
+This article describes how to assign a user as an administrator of an Azure subscription with conditions. These steps are the same as any other role assignment.
 
 ## Prerequisites
 
@@ -86,7 +88,35 @@ The [Owner](built-in-roles.md#owner) role grant full access to manage all resour
 
 1. Click **Next**.
 
-## Step 5: Assign role
+## Step 5: Add a condition
+
+Since the Owner role is a highly privileged role, Microsoft recommends you add a condition to constrain the role assignment.
+
+1. On the **Conditions** tab under **What user can do**, select the **Allow user to only assign selected roles to selected principals (fewer privileges)** option.
+
+    :::image type="content" source="./media/role-assignments-portal-subscription-admin/condition-constrained-owner.png" alt-text="Screenshot of Add role assignment with the constrained option selected." lightbox="./media/role-assignments-portal-subscription-admin/condition-constrained-owner.png":::
+
+1. Select **Select roles and principals**.
+
+    The Add role assignment condition page appears with a list of condition templates.
+
+    :::image type="content" source="./media/shared/condition-templates.png" alt-text="Screenshot of Add role assignment condition with a list of condition templates." lightbox="./media/shared/condition-templates.png":::
+
+1. Select a condition template and then select **Configure**.
+
+    | Condition template | Select this template to |
+    | --- | --- |
+    | Constrain roles | Allow user to only assign roles you select |
+    | Constrain roles and principal types | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principal types you select (users, groups, or service principals) |
+    | Constrain roles and principals | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principals you select |
+
+1. In the configure pane, add the required configurations.
+
+    :::image type="content" source="./media/shared/condition-template-configure-pane.png" alt-text="Screenshot of configure pane for a condition with selection added." lightbox="./media/shared/condition-template-configure-pane.png":::
+
+1. Select **Save** to add the condition to the role assignment.
+
+## Step 6: Assign role
 
 1. On the **Review + assign** tab, review the role assignment settings.