This blog post will show you how to find all active “Azure classic subscription administrators” across any of your Azure Subscriptions using either the Azure Portal or an Azure PowerShell script.
For those who may not be aware, Microsoft is set to retire the Cloud Services (classic) deployment model along with all classic administrators on 31 August 2024*.
*You can find all the details about this announcement made by Microsoft here.
Currently, there aren’t many companies still using the classic deployment model. However, if you happen to be one of them, you are also still using the classic subscription administrator roles: Service Administrator and Co-Administrator.
While not many companies are still using the classic deployment model, if yours is among them, you are likely still reliant on the classic subscription administrator roles: Co-Administrator and Service Administrator.
However, as mentioned earlier, it’s crucial to note that starting on August 31, 2024, Microsoft will begin the process of revoking access for Co-Administrators and Service Administrators.
Microsoft strongly recommends managing access to Azure resources using Azure role-based access control (Azure RBAC) before that date and to replace these classic roles with equivalent Azure roles.
You can replace the Co-Administrators and Service Administrators by using the Owner role at the subscription scope, as it provides equivalent access*.
However, it’s important to note that the Owner role is a highly privileged administrator role that grants full access to manage Azure resources. Therefore, it’s advisable to consider a job function role with more specific permissions, reduce the scope, or add conditions to ensure proper and least-privileged access management.
*You should always assess and evaluate the usage of your Co-Administrators and Service Administrators before you remove or replace them. One way to do this is by utilizing and reviewing the Microsoft Entra sign-in logs.
Table of Contents
- Find classic subscription administrators using the Azure Portal
- Remove a classic subscription administrator using the Azure Portal
- Executing actions and utilizing the Azure PowerShell script
- Azure PowerShell Script
- Conclusion
Find classic subscription administrators using the Azure Portal
To locate any remaining Classic Administrators in your environment, you can start by using the Azure Portal.
Please sign in to the Azure Portal using a user account that has Owner rights for either all subscriptions or the specific subscriptions you wish to review for existing classic administrators.
Next, enter “subscriptions” into the global search box located in the top bar, and then click on “Subscriptions” from the search results.
Next, select the subscription you wish to review, and then navigate to Access control (IAM) and click on Classic administrators to check if there are any Classic administrators currently in use on this subscription.
If there are still some Classic administrators in use, you can then decide to remove them if the user no longer requires access or assign them the Owner or a lower privileged job function role based on their requirements.
Remove a classic subscription administrator using the Azure Portal
To remove a Classic Administrator, simply check the box next to the desired Classic Administrator you wish to remove, and then click on “Remove.”
Executing actions and utilizing the Azure PowerShell script
Of course, it’s easy to find all remaining Azure classic subscription administrators using the Azure Portal if you don’t have many Azure Subscriptions. However, if you have numerous subscriptions, you can use the following Azure PowerShell script to identify them more efficiently, without having to check each Azure subscription individually.
This Azure PowerShell script, does all of the following:
- Remove the breaking change warning messages.
- Get all Azure subscriptions and store them in a variable.
- Get and list all Azure classic subscription administrators for each subscription.
To utilize the script, begin by either making a copy and saving it as “Get-all-Azure-classic-subscription-administrators.ps1” or downloading it directly from GitHub. Afterward, you can run the script using Windows Terminal, Visual Studio Code, or Windows PowerShell. Alternatively, you also have the option to execute it directly from Cloud Shell.
Azure PowerShell script
If you are not using Cloud Shell to run the script, remember to sign in with the Connect-AzAccount cmdlet to link your Azure account. If you have multiple Azure tenants, ensure you select the correct one before running the script. You can do this by running the Set-AzContext -tenantID cmdlet.
You can then run the script.
.\Get-all-Azure-classic-subscription-administrators.ps1
<#
.SYNOPSIS
A script used to find all Azure classic subscription administrators from all Azure Subscriptions in an Azure tenant.
.DESCRIPTION
A script used to find all Azure classic subscription administrators from all Azure Subscriptions in an Azure tenant.
t.
The script will do all of the following:
Remove the breaking change warning messages.
Get all Azure subscriptions and store them in a variable.
Get and list all Azure classic subscription administrators for each subscription.
.NOTES
Filename: Get-all-Azure-classic-subscription-administrators.ps1
Created: 20/03/2024
Last modified: 20/03/2024
Author: Wim Matthyssen
Version: 1.0
PowerShell: Azure PowerShell and Azure Cloud Shell
Requires: PowerShell Az (v10.4.1)
Action: Change variables were needed to fit your needs.
Disclaimer: This script is provided "as is" with no warranties.
.EXAMPLE
Connect-AzAccount
Get-AzTenant (if not using the default tenant)
Set-AzContext -tenantID "xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx" (if not using the default tenant)
.\Get-all-Azure-classic-subscription-administrators.ps1
.LINK
https://wmatthyssen.com/2024/03/21/list-azure-classic-subscription-administrators-via-the-azure-portal-or-via-an-azure-powershell-script/
#>
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Variables
# Time, colors, and formatting
Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime = Get-Date -Format "dddd MM/dd/yyyy HH:mm"} | Out-Null
$foregroundColor1 = "Green"
$foregroundColor2 = "Yellow"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Remove the breaking change warning messages
Set-Item -Path Env:\SuppressAzurePowerShellBreakingChangeWarnings -Value $true | Out-Null
Update-AzConfig -DisplayBreakingChangeWarning $false | Out-Null
$warningPreference = "SilentlyContinue"
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Write script started
Write-Host ($writeEmptyLine + "# Script started. Without errors, it takes up to 1 minute to complete" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Get all Azure subscriptions and store them in a variable
$subscriptions = Get-AzSubscription
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Get and list all Azure classic subscription administrators for each subscription
foreach ($sub in $subscriptions) {
Set-AzContext -SubscriptionId $sub.Id | Out-Null
$classicAdmins = Get-AzRoleAssignment -IncludeClassicAdministrators | Where-Object {$_.RoleDefinitionName -like "*ServiceAdministrator*" -or $_.RoleDefinitionName -like "*CoAdministrator*"}
Write-Output "Subscription: $($sub.Name) - $($sub.Id)"
if ($classicAdmins) {
foreach ($admin in $classicAdmins) {
Write-Host ($writeEmptyLine + "# Classic Administrator: $($admin.SignInName)" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine
#Write-Output "Classic Administrator: $($admin.SignInName)" -foregroundcolor $foregroundColor2
}
} else {
Write-Host ($writeEmptyLine + "# No classic administrators found" + $writeSeperatorSpaces + $currentTime)`
$writeEmptyLine
#Write-Output "No classic administrators found."
}
Write-Output ""
}
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Write script completed
Write-Host ("# Script completed" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine
## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Conclusion
Microsoft plans to retire the Cloud Services (classic) deployment model, including all Azure classic subscription administrators, on August 31, 2024. While many companies have already transitioned away from this model, there may still be some using it.
So, I hope that the steps outlined in this blog post and the Azure PowerShell script provided will be useful for simplifying the process of finding all remaining Azure classic subscription administrators in their Azure tenant(s).
If you have any questions or suggestions regarding this blog post or the script, please don’t hesitate to contact me via my X handle (@wmatthyssen) or leave a comment. I’ll be more than happy to assist you.
Wim Matthyssen 
0 comments on “List “Azure classic subscription administrators” via the Azure Portal or via an Azure PowerShell script”