AZ-600 Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub

Change user subscription owner

Tutorial / Cram Notes

When managing a hybrid cloud environment with Microsoft Azure Stack Hub, it is important to understand how to change the ownership of a user subscription. The subscription owner has full control over the resources within that subscription and is responsible for managing access, setting policies, and overseeing billing. There might be scenarios when transferring the subscription ownership becomes necessary, such as when an employee leaves the organization or changes roles.

Steps to Change the Subscription Owner in Azure Stack Hub

Identify the Subscription ID: Before changing the subscription owner, you need to locate the Subscription ID of the subscription you wish to change. This can be found in the Azure Stack Hub user portal under ‘Subscriptions’.
Current Owner Access: Ensure the current owner or another user with sufficient privileges (such as a global administrator or subscription administrator) is performing the change.

Select New Owner: Determine who the new owner of the subscription will be. The new owner must have an account within the same directory.
Use PowerShell to Change Owner: Azure Stack Hub does not currently provide a direct user interface option to change the owner of a subscription. Instead, you will have to use Azure PowerShell to update the subscription owner.

Here is an example PowerShell script that demonstrates how to change the owner of a subscription in Azure Stack Hub:

# Required Modules
Import-Module -Name AzureRM
Import-Module -Name AzureStack

# Azure Stack Hub Environment
Add-AzureRMEnvironment -Name “AzureStackUser” -ArmEndpoint “https://management.local.azurestack.external”

# Sign in to your environment
$TenantID = “<TENANT-ID>” # Your Azure Stack Hub Tenant ID
$ArmEndpoint = “https://management.local.azurestack.external”
Login-AzureRmAccount -EnvironmentName “AzureStackUser” -TenantId $TenantID

# Subscription Information
$SubscriptionID = “<SUBSCRIPTION-ID>” # The ID of the subscription you want to change
$NewOwnerObjectID = “<NEW-OWNER-OBJECT-ID>” # Object ID of the new owner

# Change Owner of the Subscription
Set-AzureRmSubscription -SubscriptionId $SubscriptionID -OwnerId $NewOwnerObjectID

It’s important to note the following when running the script:

Replace <TENANT-ID>, <SUBSCRIPTION-ID>, and <NEW-OWNER-OBJECT-ID> with actual IDs from your Azure Stack Hub environment.
Set-AzureRmSubscription might require Owner or User Access Administrator permissions on the subscription to change ownership.
The Object ID for the new owner can be retrieved from Azure Active Directory in the Azure Stack Hub portal.

After the PowerShell command is successfully executed, the new owner will have control over the subscription. They can then manage resources, assign roles, and set policies as necessary.

Additionally, you should be aware that changing the subscription owner does not alter the permissions of other users who have access to the subscription. The new owner should review and adjust any permissions as necessary to ensure that they conform to the organization’s policies and the principle of least privilege.

Finally, it’s good practice to verify that the subscription transfer has been successful and that the new owner can indeed access and manage the subscription appropriately. Ensure that they can log in, view resources, and perform expected tasks without issues. This ensures a smooth transition of responsibilities and minimizes disruptions to operations.

Practice Test with Explanation

True or False: In Azure Stack Hub, only the service administrator has the ability to change the subscription owner.

A) True
B) False

Answer: B) False

Explanation: Along with the service administrator, owners of an Azure Stack Hub subscription also have the ability to change the ownership of a subscription to another user.

What is the first step to change the subscription owner in Azure Stack Hub?

A) Modify the Service Administrator
B) Update the AAD tenant policy

C) Invite the new owner as a guest user
D) Transfer billing ownership

Answer: C) Invite the new owner as a guest user

Explanation: The new owner must first be part of the Azure Active Directory tenant as a user before they can be assigned as the subscription owner.

True or False: Changing the subscription owner will automatically transfer all resources and associated permissions to the new owner.

A) True
B) False

Answer: B) False

Explanation: Changing the subscription owner will transfer the billing ownership and control over the subscription, but it does not automatically transfer the resources. The permissions for resources are governed by Role-Based Access Control (RBAC).

What role must a user have to change the subscription owner in Azure Stack Hub?

A) User Access Administrator

B) Subscription Contributor
C) Subscription Owner
D) Global Administrator

Answer: A) User Access Administrator

Explanation: A User Access Administrator has the permissions required to manage access to Azure resources, including changing the owner of a subscription.

True or False: To change the subscription owner, the current owner needs to remove their ownership first.

A) True

B) False

Answer: B) False

Explanation: The current owner does not need to remove their ownership. They can directly assign a new owner through the Azure portal or PowerShell.

Which Azure PowerShell cmdlet can be used to change the subscription owner?

A) Set-AzSubscription
B) New-AzRoleAssignment
C) Remove-AzRoleAssignment

D) Update-AzSubscription

Answer: B) New-AzRoleAssignment

Explanation: The New-AzRoleAssignment PowerShell cmdlet is used to change the subscription owner by assigning the Owner role to the new user at the subscription scope.

Multiple Select: Which of the following are required information when changing a subscription owner?

A) Subscription ID
B) New owner’s email address
C) New owner’s full name

D) New owner’s Azure Active Directory object ID

Answer: A) Subscription ID, B) New owner’s email address, and D) New owner’s Azure Active Directory object ID.

Explanation: To change a subscription owner, you need the subscription ID and the new owner’s identifying information, which could be their email address or Azure AD object ID.

True or False: Changing the subscription owner in Azure Stack Hub is reversible, allowing the previous owner to regain control.

A) True
B) False

Answer: A) True

Explanation: Changing the subscription owner is a reversible action. The new owner or another user with adequate permissions can reassign the ownership back to the previous owner or another user.

Who is notified when a subscription owner is changed in Azure Stack Hub?

A) Both the new owner and the previous owner
B) Only the new owner

C) Only the previous owner
D) Neither, there are no notifications sent

Answer: A) Both the new owner and the previous owner

Explanation: Both the new owner and the previous owner are notified when the subscription owner changes to ensure that parties are aware of the change in administrative control.

What is the result of changing the subscription owner in Azure Stack Hub?

A) The subscription is deleted and recreated.
B) The subscription billing is affected immediately.

C) The subscription’s resources are transferred to the new owner’s directory.
D) The new owner gets full control over the subscription.

Answer: D) The new owner gets full control over the subscription.

Explanation: When the subscription owner is changed, the new owner gains full control over the subscription, including its billing and management of its resources. However, the change does not delete the subscription, affect billing immediately, or transfer resources to a new directory.