Azure RBAC Enforcement and Service Administration Retirement

Question

Azure RBAC Enforcement and Service Administration Retirement

void 0

Hi there,

I received the email stating that the legacy Service Administrator and Co-Service Administrator will be retired after 2025/April/30.

I have an Azure subscription that only has one user account that already got the RBAC owner assignment. Can I keep both RBAC Owner and the legacy Service Administrator role for now? What will happen if I don't remove the Service Administrator role before 2025/April/30?

2 answers

Your answer

Answer 1

Marten Theunissen 676

Hi Void,

Thank you for reacing out. Please do remember to mark this answer.

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators

Yes, that's correct. Starting April 30, 2025, the legacy Service Administrator and Co-Service Administrator roles in Azure will be retired12. This means any role assignments for these positions will lose access after this date1.

To avoid disruptions, it's important to transition these roles to Azure Role-Based Access Control (RBAC) roles. The Owner role at the subscription scope is the equivalent role for both Service Administrator and Co-Service Administrator12. Azure RBAC offers more granular access control and compatibility with Microsoft Entra Privileged Identity Management (PIM)1

Regards

M

void 0 Reputation points

2025-04-06T08:38:11.5666667+00:00
thanks! so my understanding is that:

The service administrator role must be removed even it's already assigned a RBAC role, otherwise I will lost the access?

Any azure subscription thats originally owned by the Service Administrator will still be accessible to the new RBAC role? in my case, the original service administrator account was an MSA account, please let me know if I can still access the subscription after the removal.
Marten Theunissen 676 Reputation points

2025-04-06T09:00:03.81+00:00

Hi Void,

Do not remove from owner as this might put you in a position where you lose access. The Owner role at the subscription scope is the equivalent role for both Service Administrator and Co-Service Administrator, Ensure you assign this role to active user and do a clean-up and remove any inactive user. Ensure the active users are in the owners RBAC

Mark and up score this answer if you received the required guidance.

You can follow from here in the doc, it has all the required steps to ensure the user are added to the RBAC. Starting with "list classic administrators" section in the doc

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators?tabs=azure-portal#list-classic-administrators
void 0 Reputation points

2025-04-06T09:14:23.74+00:00

thanks, but I'm confused.

I actually have only one active user in my tenant and the AAD/Entra ID account was auto-generated after signing with the MSA account.

The Service Administrator role is with the MSA but the RBAC role is with the entra id account. So if this is the only active user, it seems I should keep the Service Administrator role(which is with the MSA account) to make it safe?
Marten Theunissen 676 Reputation points

2025-04-06T09:52:40.5066667+00:00

Sure if there is one account and that account is the subscription "owner".

Do you not have any alternate account for dual purpose and control set up? I would advise a backup owner account to ensure continuity.

Be sure to add that account to the owner role prior to removing it from the co-administrators, The requirement is to have the current account associated with RBAC roles and not with classic roles i.e service administrator and co-administrator as it currently is. You can use the remediate button to assist with the convert to RBAC role to add each user. see below screen shot.

Answer 2

Hello @void

Answering to your concern: 1. Can I keep both RBAC Owner and the legacy Service Administrator role for now? Yes, you can still keep both the RBAC Owner and the legacy Service Administrator roles for now. As of the email notification, Microsoft has announced that the legacy roles (Service Administrator and Co-Service Administrator) will be retired after April 30, 2025. This is a modern role that is part of Azure's RBAC, which provides similar permissions to the legacy Service Administrator role but within the context of Azure's modern security model. As the RBAC Owner, you will have full access and control over the subscription.

If you continue to hold this role, it will still function until the specified date (April 30, 2025). However, after this date, it will be retired, and the permissions associated with it will no longer be available.

2. What will happen if I don't remove the Service Administrator role before 2025/April/30?
After April 30, 2025, the legacy Service Administrator role will no longer be functional. If you haven't removed it, it won't have any effect, but it might be confusing since it will no longer be a valid role.

To avoid potential issues or confusion after the retirement date, it's a good idea to remove the legacy Service Administrator role and rely solely on the RBAC Owner role, which will continue to function.

You can use an Azure Portal or Resource Graph query to list subscriptions with Service Administrator or Co-Administrator role assignments.

Follow these steps to list the Service Administrator and Co-Administrators for a subscription using the Azure portal.

Sign in to the Azure portal as an Owner of a subscription.
Open Subscriptions and select a subscription.
Select Access control (IAM).
Select the Classic administrators tab to view a list of the Co-Administrators.

User's image

Remove Co-Administrators that no longer need access

If user is no longer in your enterprise, remove Co-Administrator.
If user was deleted, but their Co-Administrator assignment wasn't removed, remove Co-Administrator.

User's image

Users that have been deleted typically include the text (User was not found in this directory).

After reviewing activity of user, if user is no longer active, remove Co-Administrator.

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators?tabs=azure-portal#list-classic-administrators

How to remove a Co-Administrator

Follow these steps to remove a Co-Administrator.

Sign in to the Azure portal as an Owner of a subscription.

Open Subscriptions and select a subscription.

Select Access control (IAM).

Select the Classic administrators tab to view a list of the Co-Administrators.

Add a check mark next to the Co-Administrator you want to remove.

Select Delete.

In the message box that appears, select Yes.

User's image

I suggest you go through the below document for further reference.

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators?tabs=azure-portal#how-to-remove-a-co-administrator

Please refer the below FAQs

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators?tabs=azure-portal#frequently-asked-questions

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/deployment-models

I hope this clarifies things.

Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the answers.

Sakshi Devkante 3,750 Reputation points Microsoft External Staff Moderator

2025-04-09T14:07:19.2533333+00:00

Hello Void,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.
Sakshi Devkante 3,750 Reputation points Microsoft External Staff Moderator

2025-04-10T11:36:46.6733333+00:00

Hello Void,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.

Share via

Azure RBAC Enforcement and Service Administration Retirement

2 answers

Your answer