One of the first things to do on Azure Government, once you've been provisioned and logged in, is to begin giving access to the subscription to additional people on your development team. This is easy to do - but the question between "User Account" and "Administrator" often comes up.
In the Cloud - the concepts of Identity and Compute (which is your IaaS, PaaS, and all the other stuff that runs workloads) is separate and distinct. You have Azure Active Directory that maintains the Identity plane and Azure maintaining your subscription. The two keep in sync to control administrative authentication and authorization to your services. Diagram below:
Thus, to setup someone to access your subscription there are two steps:
- Create a new User Account for him/her in your Azure Government Azure Active Directory tenant.
- Configure him as a co-administrator to your subscription through the Azure Government management Portal.
To create a new User Account, first login to your subscription at manage.windowsazure.us. Go to Active Directory icon > Select your directory > Select users. Click add at the bottom of the screen.
Follow the on-screen prompts to create a new User Account. Some explanations of the fields:
- User Name: This will be what he/she will use to login.
- Display Name: ID for the User Account. Not necessarily unique and usually the same as the User Name
- Role: Options include Global Admin and User. Global Admins have RW rights to your entire AAD. Users only have R. **Note: Again, this is only speaking in the AAD context. Selecting a Role here does not have any effect on the User Accounts right to the subscription.
Once you've created the User Account you will be granted the option to send them an automated mail with their temporary password. You can use the Azure service - or you can just copy the temporary password and get it to the user in question manually.
Now that you've created a brand new User Account it's time to give it access to your subscription. Doing so is very easy - select the Settings Icon > Administrators > Click Add at the bottom of the screen. Enter the newly created User Accounts username and select the subscription you want him/her to have access to.
And that's it!
You've just created a new user account and configured it as a co-administrator. Now when the owner of that user account logins to manage.windowsazure.us he/she will be able to access the subscription(s) you gave him/her access to.