Merge pull request #89351 from rolyon/rolyon-rbac-service-admin-updates

PRMerger13 · web-flow · commit e18c87c16a82 · 2019-10-01T17:29:13.000-07:00
[Azure RBAC] Service admin updates
diff --git a/articles/role-based-access-control/classic-administrators.md b/articles/role-based-access-control/classic-administrators.md
@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 02/19/2019
+ms.date: 10/01/2019
 ms.author: rolyon
 ms.reviewer: bagovind
 ---
@@ -52,12 +52,14 @@ This article describes how to add or change the Co-Administrator and Service Adm
 
 [Guest users](../active-directory/b2b/b2b-quickstart-add-guest-users-portal.md) that have been assigned the Co-Administrator role might see some differences as compared to member users with the Co-Administrator role. Consider the following scenario:
 
-- User A with an Azure AD Work or School account is a Service Administrator for an Azure subscription.
+- User A with an Azure AD account (work or school account) is a Service Administrator for an Azure subscription.
 - User B has a Microsoft account.
 - User A assigns the Co-Administrator role to user B.
 - User B can do almost everything, but is unable to register applications or look up users in the Azure AD directory.
 
-You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Azure AD as compared to member users. For example, member users can read other users in Azure AD and guest users cannot. Member users can register new service principals in Azure AD and guest users cannot. If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD administrator roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/users-groups-roles/directory-assign-admin-roles.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/users-groups-roles/directory-assign-admin-roles.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md).
+You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Azure AD as compared to member users. For example, member users can read other users in Azure AD and guest users cannot. Member users can register new service principals in Azure AD and guest users cannot.
+
+If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD administrator roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/users-groups-roles/directory-assign-admin-roles.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/users-groups-roles/directory-assign-admin-roles.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md).
 
 Note that the [built-in roles for Azure resources](../role-based-access-control/built-in-roles.md) are different than the [Azure AD administrator roles](../active-directory/users-groups-roles/directory-assign-admin-roles.md). The built-in roles don't grant any access to Azure AD. For more information, see [Understand the different roles](../role-based-access-control/rbac-and-directory-admin-roles.md).
 
@@ -123,14 +125,16 @@ There are two ways to change the Service Administrator. You can change in the **
 
 ### Limitations for changing the Service Administrator
 
-Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated with, open **Subscriptions** in the Azure portal and then select a subscription to see the directory.
+There can only be one Service Administrator per Azure subscription. Changing the Service Administrator will behave differently depending on whether the Account Administrator is a Microsoft account or whether it is an Azure AD account (work or school account).
+
+| Account Administrator account | Can change the Service Administrator to a different Microsoft account? | Can change the Service Administrator to an Azure AD account in the same directory? | Can change the Service Administrator to an Azure AD account in a different directory? |
+| --- | --- | --- | --- |
+| Microsoft account | Yes | No | No |
+| Azure AD account | Yes | Yes | No |
 
-If you are signed in with a work or school account, you can add other accounts in your organization as Service Administrator. For example, abby@contoso.com can add bob@contoso.com as Service Administrator, but can't add john@notcontoso.com unless john@notcontoso.com has presence in the contoso.com directory. Users signed in with work or school accounts can continue to add Microsoft account users as Service Administrator. There can only be one Service Administrator per Azure subscription.
+If the Account Administrator is an Azure AD account, you can change the Service Administrator to an Azure AD account in the same directory, but not in a different directory. For example, abby@contoso.com can change the Service Administrator to bob@contoso.com, but cannot change the Service Administrator to john@notcontoso.com unless john@notcontoso.com has a presence in the contoso.com directory.
 
-  | Sign-in method | Add Microsoft account user as a Service Administrator? | Add work or school account in the same organization as a Service Administrator? | Add work or school account in different organization as a Service Administrator? |
-  | --- | --- | --- | --- |
-  |  Microsoft account |Yes |No |No |
-  |  Work or school account |Yes |Yes |No |
+For more information about Microsoft accounts and Azure AD accounts, see [What is Azure Active Directory?](../active-directory/fundamentals/active-directory-whatis.md).
 
 ## View the Account Administrator
 
diff --git a/articles/role-based-access-control/rbac-and-directory-admin-roles.md b/articles/role-based-access-control/rbac-and-directory-admin-roles.md
@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: overview
-ms.date: 02/22/2019
+ms.date: 10/01/2019
 ms.author: rolyon
 ms.reviewer: bagovind
 ms.custom: it-pro;
@@ -41,7 +41,7 @@ Account Administrator, Service Administrator, and Co-Administrator are the three
 | Classic subscription administrator | Limit | Permissions | Notes |
 | --- | --- | --- | --- |
 | Account Administrator | 1 per Azure account | <ul><li>Access the [Azure Account Center](https://account.azure.com/Subscriptions)</li><li>Manage all subscriptions in an account</li><li>Create new subscriptions</li><li>Cancel subscriptions</li><li>Change the billing for a subscription</li><li>Change the Service Administrator</li></ul> | Conceptually, the billing owner of the subscription.<br>The Account Administrator has no access to the Azure portal. |
-| Service Administrator | 1 per Azure subscription | <ul><li>Manage services in the [Azure portal](https://portal.azure.com)</li><li>Assign users to the Co-Administrator role</li></ul> | By default, for a new subscription, the Account Administrator is also the Service Administrator.<br>The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.<br>The Service Administrator has full access to the Azure portal. |
+| Service Administrator | 1 per Azure subscription | <ul><li>Manage services in the [Azure portal](https://portal.azure.com)</li><li>Cancel the subscription</li><li>Assign users to the Co-Administrator role</li></ul> | By default, for a new subscription, the Account Administrator is also the Service Administrator.<br>The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.<br>The Service Administrator has full access to the Azure portal. |
 | Co-Administrator | 200 per subscription | <ul><li>Same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories</li><li>Assign users to the Co-Administrator role, but cannot change the Service Administrator</li></ul> | The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope. |
 
 In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the **Classic administrators** tab.
@@ -60,6 +60,8 @@ An Azure account represents a billing relationship. An Azure account is a user i
 
 Azure subscriptions help you organize access to Azure resources. They also help you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by office, department, project, and so on. Every service belongs to a subscription, and the subscription ID may be required for programmatic operations.
 
+Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated with, open **Subscriptions** in the Azure portal and then select a subscription to see the directory.
+
 Accounts and subscriptions are managed in the [Azure Account Center](https://account.azure.com/Subscriptions).
 
 ## Azure RBAC roles
diff --git a/articles/role-based-access-control/role-assignments-external-users.md b/articles/role-based-access-control/role-assignments-external-users.md
@@ -201,4 +201,5 @@ If a guest user has been granted access to a directory, but they do not see the
 
 - [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/b2b/add-users-administrator.md)
 - [Properties of an Azure Active Directory B2B collaboration user](../active-directory/b2b/user-properties.md)
-- [The elements of the B2B collaboration invitation email - Azure Active Directory](../active-directory/b2b/invitation-email-elements.md)
+- [The elements of the B2B collaboration invitation email - Azure Active Directory](../active-directory/b2b/invitation-email-elements.md)
+- [Adding a guest user as a Co-Administrator](classic-administrators.md#adding-a-guest-user-as-a-co-administrator)
