How to Grant Admin Rights to User in Azure Portal

In this comprehensive tutorial, I will walk you through the distinct administrative frameworks within Azure, show you the step-by-step process to grant admin rights securely via the Azure Portal, and share production-level governance strategies to keep your cloud environment secure.

How to Grant Admin Rights to User in Azure Portal

The Two Halves of Azure Administration: IAM vs. Entra ID

Before clicking anything in the portal, you must understand a critical architectural concept. Azure divides administrative privileges into two completely separate control planes:

  • Azure Identity Administrators (Microsoft Entra ID Roles): This tier governs your identity perimeter. It includes tenant-level management tasks, such as creating user accounts, adjusting enterprise domain settings, assigning software licenses, and configuring global multi-factor authentication (MFA) rules.
  • Azure Resource Administrators (Azure RBAC Roles): This plane controls your actual cloud infrastructure resources. It handles permissions for managing virtual networks, provisioning virtual machines, tuning databases, and deploying storage accounts.

The table below breaks down these two domains side-by-side so you can select the correct path for your team:

Administrative ScopeGovernance LayerCore Privileged RolesPrimary Operational Actions
Directory Tenant LevelMicrosoft Entra IDGlobal Administrator, User Administrator, Helpdesk AdministratorManaging user accounts, configuring SSO apps, registering corporate domains
Infrastructure Resource LevelAzure RBACOwner, Contributor, User Access AdministratorDeleting VMs, provisioning storage accounts, altering virtual network routing

Managing the Infrastructure: Granting Resource Admin Rights (RBAC)

If your goal is to let a cloud engineer manage infrastructure assets—like a cluster of web applications inside a specific subscription—you will use Azure Role-Based Access Control (RBAC).

Step 1: Define Your Target Scope

Azure applied permissions hierarchically: Management Groups $\rightarrow$ Subscriptions $\rightarrow$ Resource Groups $\rightarrow$ Individual Resources.

Always assign roles at the lowest possible level that still allows the user to do their job. If a developer only needs to manage test machines in a dev environment, grant access at the specific Resource Group level—not the entire Subscription.

Step 2: Open Identity and Access Management (IAM)

  1. Sign in to the Azure Portal using an account that holds Owner or User Access Administrator privileges at the targeted scope.
  2. Navigate to the top search bar and search for the scope you want to manage (e.g., click Subscriptions or Resource groups).
  3. Select your specific target asset from the provided interface list.
  4. Look at the left navigation menu blade and click on Access control (IAM).

Check out the screenshot below for your reference.

How to Grant Admin Rights to User in Azure Portal

Step 3: Configure the Role Assignment

  1. Inside the IAM dashboard, click the + Add button at the top, then select Add role assignment from the dropdown options.
  2. Under the Role tab, browse to the Privileged administrator roles filter option.
  3. Choose the appropriate admin level:
    • Owner: Full access to manage all resources and the ability to assign permissions to other users.
    • Contributor: Full access to manage all resources, but cannot alter permissions for others.
  4. Click Next.
  5. On the Members tab, ensure User, group, or service principal is checked, then click Select members.
  6. Type the exact email address or corporate name of the target user in the lookup text field, click their name, and click the Select button.
  7. Click Review + assign to write the configuration changes to the Azure resource group. Check out the screenshot below for your reference.
how to assign user access administrator role in azure
How to Grant Admin Rights to User in Azure
how to grant user access administrator role in azure
Grant Admin Rights to User in Azure

Managing the Directory: Granting Identity Admin Rights (Entra ID)

If you need to empower an IT support agent to manage user identities, reset passwords, or onboard contractors, you must grant them directory-level privileges within Microsoft Entra ID.

Step 1: Access the Identity Tenant

  1. From anywhere within the Azure Portal, click the search bar at the top of the window.
  2. Search for and select Microsoft Entra ID.
  3. In the left navigation pane under the Manage section, select Roles and administrators.

Step 2: Select the Administrative Assignment Type

  1. You will see an expansive list of built-in identity roles. Use the top search box to filter the list:
    • Global Administrator: Full, unrestricted privileges to every directory service. Limit this role to a maximum of 2 to 3 break-glass accounts.
    • User Administrator: Grants permissions to create accounts, modify user profiles, and trigger password reset tasks.
    • Privileged Role Administrator: Grants the authority to manage the assignment of directory roles themselves.
  2. Click directly on the blue hyperlink title of the role you want to assign (e.g., click User Administrator).
  3. Click + Add assignments located at the top of the menu options.

Step 3: Bind the Identity to the Role

  1. In the flyout search field, search for the user account you want to elevate.
  2. Check the box next to their name and click Add.
  3. The user’s account will now possess directory administration authority. For security, have the user sign out and log back in to refresh their security token in the browser.

Advanced Governance: PIM and Least Privilege

In large cloud deployments, granting permanent administrative privileges is a risky practice. If an administrator’s account is compromised, your entire cloud infrastructure is exposed. To minimize this risk, implement the following advanced governance frameworks:

Implementing the Principle of Least Privilege (PoLP)

Never default to the Owner or Global Administrator roles out of convenience. If a team lead only needs to maintain virtual infrastructure, use the Virtual Machine Contributor role. Matching permissions precisely to operational job functions limits your blast radius if an account is compromised.

Transitioning to Just-In-Time (JIT) Access via PIM

If your organization utilizes a Microsoft Entra ID P2 or Microsoft Entra ID Governance license tier, stop using permanent active role assignments. Instead, leverage Privileged Identity Management (PIM).

With PIM:

  • You configure a user as Eligible for an administrative role rather than permanently Active.
  • When the engineer needs to perform an administrative task, they navigate to the PIM portal blade and request to activate the role.
  • The activation workflow can enforce security checks: requiring a multi-factor authentication (MFA) check, providing a valid business ticket justification number, or routing the request to a senior manager for manual approval.
  • Once approved, the role activates for a limited window (e.g., 4 hours) and automatically deactivates afterward, keeping your permanent attack surface at zero.

Video Tutorial

Conclusion

By establishing clear role separation, scoping permissions tightly, and moving away from permanent active permissions, you protect your environment from accidental data loss and security breaches. Keep your scopes tight, your assignments audited, and your cloud architectures fully secure!

You may also like the following articles:

Azure Virtual Machine

DOWNLOAD FREE AZURE VIRTUAL MACHINE PDF

Download our free 25+ page Azure Virtual Machine guide and master cloud deployment today!