Manage Azure Subscription Owners: Add and Remove User Access

Risks/Customer Impact

• Unauthorized Access: Granting unnecessary permissions may lead to unauthorized access and potential security breaches.
• Role Misconfiguration: Incorrectly configuring roles can expose sensitive resources or data.
• Incorrectly removing roles can result in restricted access, affecting operations.

Assign a user as an Owner of an Azure subscription

Step 1. Open the subscription

1. Sign in to the Azure portal.
2. In the Search box at the top, search for subscriptions.
3. Click the subscription you want to use.

The following shows an example subscription.

Step 2. Open the Add role assignment page

The page that you usually use to assign roles in order to provide access to Azure resources is called Access Control (IAM). Click Access Control (IAM).

The following shows an example of the Access control (IAM) page for a subscription.

Click the Role Assignments tab to view the role assignments at this scope.

Click Add > Add role assignment.

If you don't have permission to assign roles, the Add role assignment option will be disabled.

The Add Role assignment page opens.

Step 3. Select the Owner role

The Owner role grants full access to manage all resources, including the ability to assign roles in Azure RBAC

On the Role tab, select the Privileged administrator roles tab.

Select the Owner role.

Click Next

Step 4. Select who needs access

Click Select members.

Find and select the user.

You can type in the Select box to search the directory for the display name or email address.

Click Save to add the user to the Members list.

In the Description box, enter an optional description for this role assignment.

Added By Abdul Basith, 

Later you can show this description in the role assignments list.

Select Not Constrained and Click Next.

Step 5.  Assign role

1. On the Review + Assign tab, review the role assignment settings.
2. Click Review + Assign to assign the role.

After a few moments, the user is assigned the Owner role for the subscription.

Remove a user as an Owner of an Azure subscription

Step 1. Open the subscription

1. Sign in to the Azure portal.
2. Search for “subscriptions” in the search box at the top and click on the subscription you want to use

Step 2. Open the Add role assignment page

Click on “Access control (IAM)” and then click on the “Role assignments” tab.

Step 3. Remove the Role assignment

Find the user you want to remove, put a tick on the box near their name, and click Remove.

Then click on “Yes” to confirm.

In the Notifications, you can see it’s successfully removed.

Verification Process/Procedure

Adding: After being added as the owner of the subscription, you can verify this by navigating to IAM > Role Assignments. In the "Owner" tab, you should be able to observe the newly added role assignment.

Removing: After being removed as the owner of the subscription, you can verify this by navigating to IAM > Role Assignments. In the "Owner" tab, you should no longer see the role assignment associated with that account.

Abbreviations/Term Definitions

1. IAM: Identity and Access Management
2. RBAC: Role-Based Access Control
3. PIM: Privileged Identity Management

Related Documentation

• Assign a user as an administrator of an Azure subscription - Azure RBAC | Microsoft Learn
• Remove Azure role assignments - Azure RBAC | Microsoft Learn