Ed Mondek has created an excellent graph that helps to understand the relationship, the assignment between the level of delegation, the roles and the area of eligibility. It also includes the management level and units of Azure (Portal): “By default, the account administrator”, for a new subscription, is also the service administrator. The `service administrator` has the appropriate access from a user who has the role of owner in the subscription area.” The service administrator” has access to the Azure portal. » Source: Classic subscription administrator roles, Azure rolls, and Azure-Rollen You can provide access to your account billing information in the Azure portal. The type of billing rolls and instructions for providing access to billing information vary depending on the type of your billing account. You can find information about determining the type of your billing account by verifying the type of your billing account. If your enterprise administrator can`t support you, create a support case for the Azure Enterprise portal. Provide the following information: Enterprise administrators are listed as billing account holders, while enterprise administrators with read-to-top read rights are listed as billing account readers. If you think there is no access for enterprise administrators, you can give them access in the Azure portal. For more information, see Managing billing roles in the Azure portal.
Consider the role of “account owners”: this role has the right to “manage resources in the Azure portal” (as well as in the EA administration RBAC matrix). This table also shows that changing the role of “account holder” is an authorization assigned to the EA portal roles “Enterprise Administrator” and “Departmental Administrators” (for accounts in their domain). The Azure EA portal helps you manage your Azure EA fees and usage. There are three main roles in the Azure EA portal: Some organizations delegate Azure AD directory roles such as “password administrators” or “authentication administrators” to their local help desk or 1st level support team. At first glance, this delegation does not seem too risky or conducive to privileged escalation. The role descriptions show that only authentication methods and password repositions can be managed by non-administrator users. As has already been mentioned in other blog posts, this does not exclude authorization roles such as “Azure Subscription Owner” or, in this case, “EA Admins”. Keep that in mind! Enterprise administrators have the most privileges for managing an Azure EA record. The original Azure EA administrator was created when the EA agreement was implemented.
However, you can add or remove new administrators at any time. New administrators are only added by existing administrators. For more information about adding additional organization administrators, see Create another enterprise administrator. For more information about billing profiling roles and tasks, see Billing Profile Roles and Tasks. The details of administrator roles in MCA are documented by Microsoft. These roles, in addition to the built-in Azure RBAC, can only delegate billing management permissions. In this example, I just added another user account as a “co-administrator” to the classic administrator roles. Before you can create an Azure (EA) enterprise plan subscription, your account must be added by the administrator of your EA record in the Azure EA portal to the account holder`s role. . .