CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-azure-mgmt-authorization

Microsoft Azure Authorization Management Client Library for Python providing RBAC, PIM, and access control capabilities

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

legacy-admin.mddocs/

Legacy Administration

Classic subscription administrators and global administrator operations for managing legacy Azure administration scenarios and elevated access. These operations support legacy Azure administration patterns and global administrator elevation scenarios.

Capabilities

Classic Administrators Management

Manage classic Azure subscription administrators (legacy Service Administrators and Co-Administrators).

def list() -> Iterator[ClassicAdministrator]:
    """
    List classic administrators for the subscription.
    
    Returns:
    Iterator of ClassicAdministrator objects representing legacy administrators
    """

Global Administrator Operations

Manage global administrator elevated access for Azure subscriptions at the tenant level.

def elevate_access() -> None:
    """
    Elevate access for the Global Administrator to manage all Azure subscriptions
    and management groups in the tenant. This operation grants the Global Administrator
    User Access Administrator role at the root scope.
    
    Note: This is a privileged operation that should be used carefully and only
    when necessary for tenant-wide administration.
    """

Usage Examples

Listing Classic Administrators

from azure.mgmt.authorization import AuthorizationManagementClient
from azure.identity import DefaultAzureCredential

# Initialize client
credential = DefaultAzureCredential()
client = AuthorizationManagementClient(
    credential=credential,
    subscription_id="your-subscription-id"
)

# List classic administrators
classic_admins = client.classic_administrators.list()

print("Classic Administrators:")
for admin in classic_admins:
    print(f"Email: {admin.email_address}")
    print(f"Role: {admin.role}")
    print(f"Type: {admin.type}")
    print("---")

Elevating Global Administrator Access

# This operation requires Global Administrator privileges in Azure AD
try:
    # Elevate access for Global Administrator
    client.global_administrator.elevate_access()
    print("Global Administrator access elevated successfully")
    print("User Access Administrator role granted at root scope")
    
except Exception as e:
    print(f"Failed to elevate access: {e}")
    # Common reasons for failure:
    # - Not a Global Administrator
    # - Already have elevated access
    # - Tenant policies prevent elevation

Checking Current Administrator Status

<!-- Note: This combines both classic and modern role checking --> 
# Check classic administrators
classic_admins = list(client.classic_administrators.list())
print(f"Classic administrators count: {len(classic_admins)}")

# Check modern RBAC administrators at subscription level
rbac_admins = client.role_assignments.list_for_subscription(
    filter="roleDefinitionId eq '/subscriptions/{}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'".format(
        "your-subscription-id"  # Owner role
    )
)

print("Modern RBAC Owners:")
for assignment in rbac_admins:
    print(f"Principal: {assignment.principal_id}")
    print(f"Scope: {assignment.scope}")

Types

Classic Administrator Types

class ClassicAdministrator:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    email_address: Optional[str]
    role: Optional[str]  # "ServiceAdministrator" or "CoAdministrator"

class ClassicAdministratorProperties:
    email_address: Optional[str]
    role: Optional[str]

Constants

Classic Administrator Roles

class ClassicAdministratorRole:
    SERVICE_ADMINISTRATOR = "ServiceAdministrator"
    CO_ADMINISTRATOR = "CoAdministrator"

class ClassicAdministratorType:
    CLASSIC_SUBSCRIPTION_ADMINISTRATOR = "Microsoft.Authorization/classicAdministrators"

API Version Support

Classic Administrators

  • API Version: 2015-07-01, 2015-06-01
  • Status: Legacy (maintained for backward compatibility)
  • Scope: Subscription level only

Global Administrator

  • API Version: 2015-07-01
  • Status: Active (required for tenant-wide management)
  • Scope: Tenant root level

Migration Considerations

From Classic to Modern RBAC

Classic administrators are legacy and should be migrated to modern RBAC roles:

  1. Service AdministratorOwner role at subscription scope
  2. Co-AdministratorOwner or Contributor role at subscription scope
# Example migration: Convert classic admin to modern RBAC
from azure.mgmt.authorization.models import RoleAssignmentCreateParameters

# List classic administrators to migrate
classic_admins = list(client.classic_administrators.list())

for admin in classic_admins:
    if admin.role == "CoAdministrator":
        # Create equivalent RBAC assignment
        assignment_params = RoleAssignmentCreateParameters(
            role_definition_id="/subscriptions/{}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c".format(
                subscription_id  # Contributor role
            ),
            principal_id="user-object-id-for-" + admin.email_address,
            principal_type="User"
        )
        
        client.role_assignments.create(
            scope=f"/subscriptions/{subscription_id}",
            role_assignment_name="migration-assignment-guid",
            parameters=assignment_params
        )
        
        print(f"Migrated {admin.email_address} from Co-Administrator to Contributor")

Security Considerations

Global Administrator Elevation

The elevate_access() operation is highly privileged and should be used with caution:

Security Best Practices:

  1. Just-in-Time: Only elevate when necessary, remove elevation promptly
  2. Audit: Log all elevation events for security monitoring
  3. Justification: Document business justification for elevation
  4. Time-Boxing: Set calendar reminders to remove elevated access
  5. Principle of Least Privilege: Use more targeted roles when possible

Elevated Access Scope:

  • Grants User Access Administrator role at root scope (/)
  • Provides access to ALL subscriptions and management groups in tenant
  • Bypasses normal RBAC restrictions
  • Should be removed after administrative tasks are complete

Classic Administrator Security

Classic administrators have broad permissions:

  • Service Administrator has full subscription access
  • Co-Administrators have most subscription permissions (except ability to change Service Administrator)
  • These roles cannot be restricted with conditional access policies
  • Migration to modern RBAC provides better security controls

Error Handling

Common exceptions with legacy administration operations:

from azure.core.exceptions import ForbiddenError, BadRequestError

try:
    client.global_administrator.elevate_access()
except ForbiddenError:
    print("Access denied - requires Global Administrator role")
except BadRequestError:
    print("Bad request - may already have elevated access")

try:
    classic_admins = list(client.classic_administrators.list())
except ForbiddenError:
    print("Insufficient permissions to list classic administrators")

Limitations

Classic Administrators

  • Legacy: Microsoft recommends migrating to modern RBAC
  • Limited API: Only listing operations available via API
  • No Conditional Access: Cannot apply conditional access policies
  • Portal Management: Adding/removing classic admins typically done via Azure portal

Global Administrator Elevation

  • One-Way: API only provides elevation, not revocation
  • Manual Revocation: Must remove elevated access manually via Azure portal or PowerShell
  • Audit: Elevation events are logged in Azure Activity Log
  • Tenant-Wide: Cannot scope elevation to specific subscriptions or resources

Install with Tessl CLI

npx tessl i tessl/pypi-azure-mgmt-authorization

docs

access-reviews.md

alerts.md

auth-config.md

core-rbac.md

index.md

legacy-admin.md

metrics.md

pim.md

tile.json