Tessl Tile for pypi/azure-mgmt-authorization@4.0.0

or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

access-reviews.md alerts.md auth-config.md core-rbac.md index.md legacy-admin.md metrics.md pim.md

legacy-admin.mddocs/

0
# Legacy Administration
1

2
Classic subscription administrators and global administrator operations for managing legacy Azure administration scenarios and elevated access. These operations support legacy Azure administration patterns and global administrator elevation scenarios.
3

4
## Capabilities
5

6
### Classic Administrators Management
7

8
Manage classic Azure subscription administrators (legacy Service Administrators and Co-Administrators).
9

10
```python { .api }
11
def list() -> Iterator[ClassicAdministrator]:
12
    """
13
    List classic administrators for the subscription.
14
    
15
    Returns:
16
    Iterator of ClassicAdministrator objects representing legacy administrators
17
    """
18
```
19

20
### Global Administrator Operations
21

22
Manage global administrator elevated access for Azure subscriptions at the tenant level.
23

24
```python { .api }
25
def elevate_access() -> None:
26
    """
27
    Elevate access for the Global Administrator to manage all Azure subscriptions
28
    and management groups in the tenant. This operation grants the Global Administrator
29
    User Access Administrator role at the root scope.
30
    
31
    Note: This is a privileged operation that should be used carefully and only
32
    when necessary for tenant-wide administration.
33
    """
34
```
35

36
## Usage Examples
37

38
### Listing Classic Administrators
39

40
```python
41
from azure.mgmt.authorization import AuthorizationManagementClient
42
from azure.identity import DefaultAzureCredential
43

44
# Initialize client
45
credential = DefaultAzureCredential()
46
client = AuthorizationManagementClient(
47
    credential=credential,
48
    subscription_id="your-subscription-id"
49
)
50

51
# List classic administrators
52
classic_admins = client.classic_administrators.list()
53

54
print("Classic Administrators:")
55
for admin in classic_admins:
56
    print(f"Email: {admin.email_address}")
57
    print(f"Role: {admin.role}")
58
    print(f"Type: {admin.type}")
59
    print("---")
60
```
61

62
### Elevating Global Administrator Access
63

64
```python
65
# This operation requires Global Administrator privileges in Azure AD
66
try:
67
    # Elevate access for Global Administrator
68
    client.global_administrator.elevate_access()
69
    print("Global Administrator access elevated successfully")
70
    print("User Access Administrator role granted at root scope")
71
    
72
except Exception as e:
73
    print(f"Failed to elevate access: {e}")
74
    # Common reasons for failure:
75
    # - Not a Global Administrator
76
    # - Already have elevated access
77
    # - Tenant policies prevent elevation
78
```
79

80
### Checking Current Administrator Status
81

82
<!-- Note: This combines both classic and modern role checking -->
83
```python
84
# Check classic administrators
85
classic_admins = list(client.classic_administrators.list())
86
print(f"Classic administrators count: {len(classic_admins)}")
87

88
# Check modern RBAC administrators at subscription level
89
rbac_admins = client.role_assignments.list_for_subscription(
90
    filter="roleDefinitionId eq '/subscriptions/{}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'".format(
91
        "your-subscription-id"  # Owner role
92
    )
93
)
94

95
print("Modern RBAC Owners:")
96
for assignment in rbac_admins:
97
    print(f"Principal: {assignment.principal_id}")
98
    print(f"Scope: {assignment.scope}")
99
```
100

101
## Types
102

103
### Classic Administrator Types
104

105
```python { .api }
106
class ClassicAdministrator:
107
    id: Optional[str]
108
    name: Optional[str]
109
    type: Optional[str]
110
    email_address: Optional[str]
111
    role: Optional[str]  # "ServiceAdministrator" or "CoAdministrator"
112

113
class ClassicAdministratorProperties:
114
    email_address: Optional[str]
115
    role: Optional[str]
116
```
117

118
## Constants
119

120
### Classic Administrator Roles
121

122
```python { .api }
123
class ClassicAdministratorRole:
124
    SERVICE_ADMINISTRATOR = "ServiceAdministrator"
125
    CO_ADMINISTRATOR = "CoAdministrator"
126

127
class ClassicAdministratorType:
128
    CLASSIC_SUBSCRIPTION_ADMINISTRATOR = "Microsoft.Authorization/classicAdministrators"
129
```
130

131
## API Version Support
132

133
### Classic Administrators
134
- **API Version**: 2015-07-01, 2015-06-01
135
- **Status**: Legacy (maintained for backward compatibility)
136
- **Scope**: Subscription level only
137

138
### Global Administrator
139
- **API Version**: 2015-07-01
140
- **Status**: Active (required for tenant-wide management)
141
- **Scope**: Tenant root level
142

143
## Migration Considerations
144

145
### From Classic to Modern RBAC
146

147
Classic administrators are legacy and should be migrated to modern RBAC roles:
148

149
1. **Service Administrator** → **Owner** role at subscription scope
150
2. **Co-Administrator** → **Owner** or **Contributor** role at subscription scope
151

152
```python
153
# Example migration: Convert classic admin to modern RBAC
154
from azure.mgmt.authorization.models import RoleAssignmentCreateParameters
155

156
# List classic administrators to migrate
157
classic_admins = list(client.classic_administrators.list())
158

159
for admin in classic_admins:
160
    if admin.role == "CoAdministrator":
161
        # Create equivalent RBAC assignment
162
        assignment_params = RoleAssignmentCreateParameters(
163
            role_definition_id="/subscriptions/{}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c".format(
164
                subscription_id  # Contributor role
165
            ),
166
            principal_id="user-object-id-for-" + admin.email_address,
167
            principal_type="User"
168
        )
169
        
170
        client.role_assignments.create(
171
            scope=f"/subscriptions/{subscription_id}",
172
            role_assignment_name="migration-assignment-guid",
173
            parameters=assignment_params
174
        )
175
        
176
        print(f"Migrated {admin.email_address} from Co-Administrator to Contributor")
177
```
178

179
## Security Considerations
180

181
### Global Administrator Elevation
182

183
The `elevate_access()` operation is highly privileged and should be used with caution:
184

185
**Security Best Practices**:
186
1. **Just-in-Time**: Only elevate when necessary, remove elevation promptly
187
2. **Audit**: Log all elevation events for security monitoring
188
3. **Justification**: Document business justification for elevation
189
4. **Time-Boxing**: Set calendar reminders to remove elevated access
190
5. **Principle of Least Privilege**: Use more targeted roles when possible
191

192
**Elevated Access Scope**:
193
- Grants User Access Administrator role at root scope (`/`)
194
- Provides access to ALL subscriptions and management groups in tenant
195
- Bypasses normal RBAC restrictions
196
- Should be removed after administrative tasks are complete
197

198
### Classic Administrator Security
199

200
Classic administrators have broad permissions:
201
- Service Administrator has full subscription access
202
- Co-Administrators have most subscription permissions (except ability to change Service Administrator)
203
- These roles cannot be restricted with conditional access policies
204
- Migration to modern RBAC provides better security controls
205

206
## Error Handling
207

208
Common exceptions with legacy administration operations:
209

210
```python
211
from azure.core.exceptions import ForbiddenError, BadRequestError
212

213
try:
214
    client.global_administrator.elevate_access()
215
except ForbiddenError:
216
    print("Access denied - requires Global Administrator role")
217
except BadRequestError:
218
    print("Bad request - may already have elevated access")
219

220
try:
221
    classic_admins = list(client.classic_administrators.list())
222
except ForbiddenError:
223
    print("Insufficient permissions to list classic administrators")
224
```
225

226
## Limitations
227

228
### Classic Administrators
229
- **Legacy**: Microsoft recommends migrating to modern RBAC
230
- **Limited API**: Only listing operations available via API
231
- **No Conditional Access**: Cannot apply conditional access policies
232
- **Portal Management**: Adding/removing classic admins typically done via Azure portal
233

234
### Global Administrator Elevation
235
- **One-Way**: API only provides elevation, not revocation
236
- **Manual Revocation**: Must remove elevated access manually via Azure portal or PowerShell
237
- **Audit**: Elevation events are logged in Azure Activity Log
238
- **Tenant-Wide**: Cannot scope elevation to specific subscriptions or resources

Version

Tile

Files

legacy-admin.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}docs/

legacy-admin.mddocs/