Assign an Azure Role to a User in the Azure Portal

Usage-based Azure Subscriptions use a separate set of permissions from other services and portal in a Microsoft 365 tenant. To grant a user access to an Azure Subscription, use the following steps:

1. Log into the Azure Management Portal at https://portal.azure.com with a user that has either the Owner or User Access Administrator role.
2. Navigate to your Subscriptions page. This can typically be accessed using the following methods:
   1. Under the Navigate section of the portal home page, click on Subscriptions.
      
   2. Click on the Menu button in the top-left corner of the page, and select All Services,
      
      then select Subscriptions under the General category.
      
3. Click on the Subscription Name of your Subscription
   
4. Click on Access Control (IAM) in the left-hand menu.
   
5. Click the Add button.
   
6. Select Add role assignment
   
7. Select the desired role for your user, and then click the Next button.
   
8. Click the Select members button.
   
9. Click on the member(s) that will be assigned the role, and the click the Select button.
   
10. Click the Next button.
11. Confirm the Role and users that will be assigned as members to that role, and then click the Review + Assign button.
    

For more information on assigning Azure roles to users, please review the following Microsoft support article:

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Elevate a Global Administrator to manage all Azure Subscriptions

When an Azure Subscription is first created, access to that subscription is not automatically granted to any users within the tenant. If our Support Team has been allowed delegated access to the customer tenant, we are able to assign those initial roles as needed. Alternatively, a Global Administrator in the tenant can elevate themselves with User Access Administrator privileges to all Azure Subscriptions and services in the tenant. This process can also be used if an Owner of a Subscription is no longer available.

Note that for security purposes, Microsoft recommends elevated access only be enabled in order to grant the necessary roles to specific Subscriptions or groups in Azure, and that the elevated access be removed once those roles have been assigned.

To Elevate a Global Administrator in Azure:

1. Log into the Azure Active Directory (Entrada) portal at https://entrada.microsoft.com/ with your Global Administrator user.
2. On the Overview page, click on the Properties tab.
   
3. Under Access management for Azure resources, click on the toggle to turn it to Yes.
   
4. Click on the Save button at the bottom of the page.
   
5. Log out of any open Microsoft 365 portals to refresh the account permissions.
6. Follow the steps in the section above assign the necessary Azure Roles to your users.

To remove the elevated User Access Administrator privileges, simply repeat the above steps in this section and toggle the Access management for Azure resources setting to No.

For more information on Elevated access for Global Administrators, please review the following Microsoft support article:

https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin