Merge pull request #271378 from rolyon/rolyon-rbac-classic-admins-faq-update

[Azure RBAC] Classic administrator Frequently asked questions update

Author: v-ccolin

articles/role-based-access-control/classic-administrators.md

@@ -6,7 +6,7 @@ manager: amycolannino
 
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 03/15/2024
+ms.date: 04/08/2024
 ms.author: rolyon
 ms.reviewer: bagovind
 ---
@@ -18,14 +18,18 @@ ms.reviewer: bagovind
 
 Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you're still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator. For information about how to migrate your resources from classic deployment to Resource Manager deployment, see [Azure Resource Manager vs. classic deployment](../azure-resource-manager/management/deployment-models.md).
 
-This article describes how to prepare for the retirement of the Co-Administrator and Service Administrator roles and how to remove or change these role assignments.
+If you still have classic administrators, you should remove these role assignments before the retirement date. This article describes how to prepare for the retirement of the Co-Administrator and Service Administrator roles and how to remove or change these role assignments.
 
 ## Frequently asked questions
 
 Will Co-Administrators and Service Administrator lose access after August 31, 2024?
 
 - Starting on August 31, 2024, Microsoft will start the process to remove access for Co-Administrators and Service Administrator.
 
+How do I know what subscriptions have classic administrators?
+
+- You can use an Azure Resource Graph query to list subscriptions with Service Administrator or Co-Administrator role assignments. For steps see [List classic administrators](#list-classic-administrators).
+
 What is the equivalent Azure role I should assign for Co-Administrators?
 
 - [Owner](built-in-roles.md#owner) role at subscription scope has the equivalent access. However, Owner is a [privileged administrator role](role-assignments-steps.md#privileged-administrator-roles) and grants full access to manage Azure resources. You should consider a job function role with fewer permissions, reduce the scope, or add a condition.
@@ -34,19 +38,27 @@ What is the equivalent Azure role I should assign for Service Administrator?
 
 - [Owner](built-in-roles.md#owner) role at subscription scope has the equivalent access.
 
+Why do I need to migrate to Azure RBAC?
+
+- Classic administrators will be retired. Azure RBAC offers fine grained access control, compatibility with Microsoft Entra Privileged Identity Management (PIM), and full audit logs support. All future investments will be in Azure RBAC.
+
+What about the Account Administrator role?
+
+- The Account Administrator is the primary user for your billing account. Account Administrator isn't being deprecated and you don't need to replace this role assignment. Account Administrator and Service Administrator might be the same user. However, you only need to remove the Service Administrator role assignment.
+
 What should I do if I have a strong dependency on Co-Administrators or Service Administrator?
 
 - Email [email protected] and describe your scenario.
 
 ## Prepare for Co-Administrators retirement
 
-Use the following steps to help you prepare for the Co-Administrator role retirement.
+If you still have classic administrators, use the following steps to help you prepare for the Co-Administrator role retirement.
 
 ### Step 1: Review your current Co-Administrators
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
-1. Use the Azure portal to [get a list of your Co-Administrators](#view-classic-administrators).
+1. Use the Azure portal or Azure Resource Graph to [list of your Co-Administrators](#list-classic-administrators).
 
 1. Review the [sign-in logs](/entra/identity/monitoring-health/concept-sign-ins) for your Co-Administrators to assess whether they're active users.
 
@@ -84,13 +96,13 @@ Some users might need more access than what a job function role can provide. If
 
 ## Prepare for Service Administrator retirement
 
-Use the following steps to help you prepare for Service Administrator role retirement. To remove the Service Administrator, you must have at least one user who is assigned the Owner role at subscription scope without conditions to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.
+If you still have classic administrators, use the following steps to help you prepare for Service Administrator role retirement. To remove the Service Administrator, you must have at least one user who is assigned the Owner role at subscription scope without conditions to avoid orphaning the subscription. A subscription Owner has the same access as the Service Administrator.
 
 ### Step 1: Review your current Service Administrator
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
-1. Use the Azure portal to [get your Service Administrator](#view-classic-administrators).
+1. Use the Azure portal or Azure Resource Graph to [list your Service Administrator](#list-classic-administrators).
 
 1. Review the [sign-in logs](/entra/identity/monitoring-health/concept-sign-ins) for your Service Administrator to assess whether they're an active user.
 
@@ -114,20 +126,58 @@ Your Service Administrator might be a Microsoft account or a Microsoft Entra acc
 
 1. [Remove the Service Administrator](#remove-the-service-administrator).
 
-## View classic administrators
+## List classic administrators
+
+# [Azure portal](#tab/azure-portal)
 
-Follow these steps to view the Service Administrator and Co-Administrators for a subscription using the Azure portal.
+Follow these steps to list the Service Administrator and Co-Administrators for a subscription using the Azure portal.
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
-1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
+1. Open **Subscriptions** and select a subscription.
 
 1. Select **Access control (IAM)**.
 
 1. Select the **Classic administrators** tab to view a list of the Co-Administrators.
 
     :::image type="content" source="./media/shared/classic-administrators.png" alt-text="Screenshot of Access control (IAM) page with Classic administrators tab selected." lightbox="./media/shared/classic-administrators.png":::
 
+# [Azure Resource Graph](#tab/azure-resource-graph)
+
+Follow these steps to list the number of Service Administrator and Co-Administrators in your subscriptions using Azure Resource Graph.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
+
+1. Open the **Azure Resource Graph Explorer**.
+
+1. Select **Scope** and set the scope for the query.
+
+    Set scope to **Directory** to query your entire tenant, but you can narrow the scope to particular subscriptions.
+
+    :::image type="content" source="./media/shared/resource-graph-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="./media/shared/resource-graph-scope.png":::
+
+1. Select **Set authorization scope** and set the authorization scope to **At, above and below** to query all resources at the specified scope.
+
+    :::image type="content" source="./media/shared/resource-graph-authorization-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Set authorization scope pane." lightbox="./media/shared/resource-graph-authorization-scope.png":::
+
+1. Run the following query to list the number Service Administrators and Co-Administrators based on the scope.
+
+    ```kusto
+    authorizationresources
+    | where type == "microsoft.authorization/classicadministrators"
+    | mv-expand role = parse_json(properties).role
+    | mv-expand adminState = parse_json(properties).adminState
+    | where adminState == "Enabled"
+    | where role in ("ServiceAdministrator", "CoAdministrator")
+    | summarize count() by subscriptionId, tostring(role)
+    ```
+
+    The following shows an example of the results. The **count_** column is the number of Service Administrators or Co-Administrators for a subscription.
+
+    :::image type="content" source="./media/classic-administrators/resource-graph-classic-admin-list.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows the number Service Administrators and Co-Administrators based on the subscription." lightbox="./media/classic-administrators/resource-graph-classic-admin-list.png":::
+
+---
+
 ## Remove a Co-Administrator
 
 > [!IMPORTANT]
@@ -137,7 +187,7 @@ Follow these steps to remove a Co-Administrator.
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
-1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
+1. Open **Subscriptions** and select a subscription.
 
 1. Select **Access control (IAM)**.
 
@@ -160,7 +210,7 @@ Follow these steps to remove a Co-Administrator.
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
-1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
+1. Open **Subscriptions** and select a subscription.
 
     Co-Administrators can only be assigned at the subscription scope.
 
@@ -235,7 +285,7 @@ To remove the Service Administrator, you must have a user who is assigned the [O
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as an [Owner](built-in-roles.md#owner) of a subscription.
 
-1. Open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and select a subscription.
+1. Open **Subscriptions** and select a subscription.
 
 1. Select **Access control (IAM)**.
 
@@ -249,6 +299,12 @@ To remove the Service Administrator, you must have a user who is assigned the [O
 
     :::image type="content" source="./media/classic-administrators/service-admin-remove.png" alt-text="Screenshot of remove classic administrator message when removing a Service Administrator." lightbox="./media/classic-administrators/service-admin-remove.png":::
 
+If the Service Administrator user is not in the directory, you might get the following error when you try to remove the Service Administrator:
+
+`Call GSM to delete service admin on subscription <subscriptionId> failed. Exception: Cannot delete user <principalId> since they are not the service administrator. Please retry with the right service administrator user PUID.`
+ 
+If the Service Administrator user is not in the directory, try to change the Service Administrator to an existing user and then try to remove the Service Administrator.
+
 ## Next steps
 
 - [Understand the different roles](../role-based-access-control/rbac-and-directory-admin-roles.md)

articles/role-based-access-control/media/classic-administrators/resource-graph-classic-admin-list.png

@@ -54,11 +54,11 @@ To reduce the number of role assignments in the subscription, add principals (us
 
     You typically set scope to **Directory** to query your entire tenant, but you can narrow the scope to particular subscriptions.
 
-    :::image type="content" source="media/troubleshoot-limits/scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="media/troubleshoot-limits/scope.png":::
+    :::image type="content" source="./media/shared/resource-graph-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="./media/shared/resource-graph-scope.png":::
 
 1. Select **Set authorization scope** and set the authorization scope to **At, above and below** to query all resources at the specified scope.
 
-    :::image type="content" source="media/troubleshoot-limits/authorization-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Set authorization scope pane." lightbox="media/troubleshoot-limits/authorization-scope.png":::
+    :::image type="content" source="./media/shared/resource-graph-authorization-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Set authorization scope pane." lightbox="./media/shared/resource-graph-authorization-scope.png":::
 
 1. Run the following query to get the role assignments with the same role and at the same scope, but for different principals.
 
@@ -138,15 +138,15 @@ To reduce the number of role assignments in the subscription, remove redundant r
 
     You typically set scope to **Directory** to query your entire tenant, but you can narrow the scope to particular subscriptions.
 
-    :::image type="content" source="media/troubleshoot-limits/scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="media/troubleshoot-limits/scope.png":::
+    :::image type="content" source="./media/shared/resource-graph-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="./media/shared/resource-graph-scope.png":::
 
 1. Select **Set authorization scope** and set the authorization scope to **At, above and below** to query all resources at the specified scope.
 
-    :::image type="content" source="media/troubleshoot-limits/authorization-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Set authorization scope pane." lightbox="media/troubleshoot-limits/authorization-scope.png":::
+    :::image type="content" source="./media/shared/resource-graph-authorization-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Set authorization scope pane." lightbox="./media/shared/resource-graph-authorization-scope.png":::
 
 1. Run the following query to get the role assignments with the same role and same principal, but at different scopes.
 
-    This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles). To list eligible role assignments, you can the Microsoft Entra admin center, PowerShell, or REST API. For more information, see [Get-AzRoleEligibilityScheduleInstance](/powershell/module/az.resources/get-azroleeligibilityscheduleinstance) or [Role Eligibility Schedule Instances - List For Scope](/rest/api/authorization/role-eligibility-schedule-instances/list-for-scope).
+    This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles). To list eligible role assignments, you can use the Microsoft Entra admin center, PowerShell, or REST API. For more information, see [Get-AzRoleEligibilityScheduleInstance](/powershell/module/az.resources/get-azroleeligibilityscheduleinstance) or [Role Eligibility Schedule Instances - List For Scope](/rest/api/authorization/role-eligibility-schedule-instances/list-for-scope).
 
     If you are using [role assignment conditions](conditions-overview.md) or [delegating role assignment management with conditions](delegate-role-assignments-overview.md), you should use the Conditions query. Otherwise, use the Default query.
 
@@ -212,7 +212,7 @@ To reduce the number of role assignments in the subscription, replace multiple b
 
     You typically set scope to **Directory** to query your entire tenant, but you can narrow the scope to particular subscriptions.
 
-    :::image type="content" source="media/troubleshoot-limits/scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="media/troubleshoot-limits/scope.png":::
+    :::image type="content" source="./media/shared/resource-graph-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="./media/shared/resource-graph-scope.png":::
 
 1. Run the following query to get role assignments with the same principal and same scope, but with different built-in roles.
 
@@ -318,7 +318,7 @@ Follow these steps to find and delete unused Azure custom roles.
 
 1. Select **Scope** and set the scope to **Directory** for the query.
 
-    :::image type="content" source="media/troubleshoot-limits/scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="media/troubleshoot-limits/scope.png":::
+    :::image type="content" source="./media/shared/resource-graph-scope.png" alt-text="Screenshot of Azure Resource Graph Explorer that shows Scope selection." lightbox="./media/shared/resource-graph-scope.png":::
 
 1. Run the following query to get all custom roles that don't have any role assignments: