List Classic Azure Administrators Using PowerShell and Azure REST API

This Microsoft Azure article will show how to list classic Azure Administrators using PowerShell and Azure REST API.

As an IT consultancy company that helps companies safeguard their Azure tenant, we perform many tenant assessments. As part of our identity and access review, we always check how many users have the Classic Azure Administrator role, if any.

Classic Administrator

The Classic Administrator role in Microsoft Azure is the original Global admin role that was part of the Azure Service Management (ASM) model before the introduction of the Azure Resource Manager (ARM) model and later the Role-Based Access Control (RBAC) security architecture.

The classic roles that were part of ASM and still exist are:

• Account Administrator
• Service Administrator
• Co-Administrators

These roles permit any operation in an Azure tenant across resources, users, billing, and account service management.

The biggest issue with these roles is that many organisations don’t know who can access them or if they are protected. In an ideal Azure tenant, no one should have access to these roles, and all administrators should have and use RBAC-based permissions to manage an Azure tenant.

List Classic Azure Administrators Using PowerShell and Azure REST API

The following Azure PowerShell script uses Azure REST API to scan a tenant and list all users with the Classic Azure Administrator role.

To run the script, Add your Azure subscription ID and run the script.

# Acquire a token for Azure Resource Manager
$context = Get-AzContext
$token = (Get-AzAccessToken).Token


$url="https://management.azure.com/subscriptions/AZURE SUBSCRIPTION ID GOES HERE/providers/Microsoft.Authorization/classicAdministrators?api-version=2015-07-01"

$headers = @{
    Authorization = "Bearer $token"
}

# Send a GET request to retrieve the list of classic administrators
(Invoke-RestMethod -Uri $url -Headers $headers -Method Get).value | Format-List *


# Send a GET request to retrieve the list of classic administrators and print only the emailAddress
(Invoke-RestMethod -Uri $url -Headers $headers -Method Get).value.properties.emailAddress | ForEach-Object { Write-Output $_ }

The script will list all the administrators and a short list of their email addresses. To read more about Azure REST API, visit this post.

Related Articles

• How to Add a Registry Key to Windows 11 Using Microsoft Intune
• About
• Five Ways to Secure Your Microsoft 365 Tenant: Tips to Keep Your Data Safe
• 5 Benefits of Using Microsoft Intune in Your Business
• Maximizing Security: When to Use Wiz Outpost with Azure

To request an Azure Security assessment, please get in touch with us.