Why as a co-administrator of a subscription am I unable to edit the Active Directory?

Question

A customer made me a co-administrator of his Azure subscription. However, I am unable to edit his Active Directory, ie add/edit users, create applications, etc.

Why

Answer 1

I believe the primary reason for this error is because when a co-admin with Microsoft account is added to a subscription, it gets added into the subscription AD as Guest user type. In order for you to get access to that AD so that you can perform the operations on the AD, you user type needs to be changed to Member from Guest. I had exact same issue with one of the users of our product and the steps described below solved the problem.

To change the user type, one would need to use AD PowerShell Cmdlets. The process is rather convoluted and needs to be done by your customer.

1. First, check with your customer if they themselves are using Microsoft Account for signing in into the portal. If they are, then they would need to create a user in their Azure AD. Please see this thread for why this is needed: PowerShell - Connecting to Azure Active Directory using Microsoft Account.
2. Next, they would need to sign in using this user account because one would need to change user password on the 1st login.
3. Install AD Modules. You may find these links useful for that purpose: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule, http://www.microsoft.com/en-us/download/details.aspx?id=41950 (Please choose 64 bit version) and http://go.microsoft.com/fwlink/p/?linkid=236297.
4. Launch PowerShell and execute the following commands:

.

$cred = Get-Credential  #In the window that shows up, please specify the local AD user credentials.

connect-msolservice -Credential $cred

(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should output "Guest". If it doesn’t, please stop and do not proceed further as there might be some other issue.

(Get-MsolUser -SearchString "your microsoft account email address") | Set-MsolUser -UserType Member

(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should now output "Member"

If somehow the problem still persists, ask your customer to login into the portal, delete your user record from AD users list and add it again. That should also take care of this problem.

Answer 2

The answer was that I needed to be set up as a Global Administrator in the Azure AD domain.

Answer 3

Both answers above seem to be correct in it's own way.

As a starter subscription administrator does not automatically make you an Azure AD administrator. You'd need explicit role grant on the target Azure AD.

Second aspect is the type of the account used. If it's in current Azure AD or Microsoft Live account all is well. In case that account is part of an external Azure AD, by default user type is "Guest"(can login, but cannot control event if assigned "Global admin"). Therefore PowerShell commands highlighted above should be executed to change user type to "Member".

Some more helpful info can be found here (it is mentioned as a Visual Studio Team Services issue, but actually applies to most Azure related services).