Team Member Permission under Azure Work or School Account

Published on Monday, June 27, 2016

Azure Work or School Account is the new name of old Azure Organization Account. About how to set a team member to use Azure under Visual Studio Enterprise with MSDN subscription (old name was Visual Studio Ultimate subscription), I forwarded previously this link to our company's subscription administrator.

(Update on July 1, 2016: We confirm the Co-Admin role settings is the right solution which we mentioned in this article, please check the bottom of this article )

What the problem we met on Azure Work Account firstly ?

Our VS subscription Administrator has assigned a role to me, however, I only could access the application stuff on Azure, for example, I could create a web site (web app) on Azure successfully. but I could not create any resource-related stuff such as creating database, creating Virtual Machines, creating IoT Hub etc.

The following was the error message I got:

Registering the resource providers has failed. Additional details from the underlying API that might be helpful: ‘AuthorizationFailed’ - The client 'live.com#xxx@xxx.xx' with object id ‘6e6ef15a-0d1d-474a-9b31-2e3d8b0569c5’ does not have authorization to perform action 'Microsoft.Compute/register/action' over scope ‘/subscriptions/33a3e553-f0c7-4c3c-9e62-xxxxxxxxx’. (Code: AuthorizationFailed)

Our Administrator assigned me to “Contributor” role originally, I did not know which exactly "Contributor" role he set for me, because there are at least 2 different “Contributor” roles on Azure (I do not know if there are any other 'Contributor'): one is on Visual Studio Subscription, another one is on Resource Group;

From my view, those 2 Contributors roles are on 2 different levels: the Visual Studio Subscription level seems be the top advanced level over Resource Group.

What I suggested to change my Work Account ?

For limited my permission, I firstly suggest our subscription Administer to change my role to “Owner” of Resource Group from "Contributor" role. What I thought was if this setting could allow me access Azure Resources, then I do not need higher level permission.

image

Unfortunately, I still got the same error which I met originally when I tried to create any resource-related services on Azure.

What is new I should suggest ?

Since I do not have Administrator permission, any further settings updating should be handled by our Subscriber Administrator, so I stop suggesting to him since we did not feel the process was convenient.

However, due to my mentions previously, if the Resource Group level settings does not work, we should try Visual Studio Subscription level permission. But, since I could not try, I still do not make sure if it works.

I found other cases might be the proves to support my guessing:

  • I do not only can't accessing the resource-related Azure services, but also I can't access the Azure Classic portal since part of services are only available in Classic Azure Portal I need to access classic portal;

I found Azure team has already given answer for this issue here:

This happens when you don’t have classic service/co-admin access to a subscription. If you only have RBAC (e.g. owner, contributor, reader) access, you can only use the new portal.

  • An Azure subscription can have up to 200 Co-Administrators. (see here)
image

So, the next try should be changing my role to a Visual Studio Subscription Co-Administrator role ?

If yes, then this web page also has given the step of how to add an admin for a subscription which includes setting co-administrator to a user.

I will update this blog after I confirm in the future.

Update on July 1 2016:

Yes, our guess was confirmed, it is correct solution. Just ask your Visual Studio Subscription manager set you a Co-Admin role, it is the right solution. How about how to set you as Co-Admin role, please check the previous link which we have provided.