You may be getting 403 if the user account is a guest. Recommended approach is to execute an External admin takeover.
Unsure how to find global administrator
I recently discovered we have a bit of a disjointed account/domain setup and hoping to clean it up. Problem is one of the domains I have yet to figure out who might be the global administrator for. Is there a way to find out? The one user I've so far found that has an account on that domain, gets an error trying to view the user/roles list in Azure. They're also listed as just a user in the AD tenant info.
Hoping once I figure this out, that I can consolidate us into a single domain setup, is that also possible?
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,461 Reputation points
2020-06-29T23:59:10.703+00:00
3 additional answers
Sort by: Most helpful
-
T. Kujala 8,721 Reputation points
2020-06-27T03:45:38.037+00:00 You can find all Global Administrators by using the Azure portal.
Login to the Azure portal https://portal.azure.com.
Select Azure Active Directory in the left side.
Select Roles and administrators.
Click Global administrator and you will find all Global Administrators.
-
AstroJeremy 31 Reputation points
2020-06-29T15:15:31.96+00:00 So far that doesn't work. I'm only aware of 1 person that's even in this domain, but they have no access to the relevant areas that list administrators. when he tries your suggestion he gets a no access (403) error.
my hope is to find out who if anybody is there so i can take over admin and ideally merge our disparate domains/azure accounts into one if that's possible, but yet to identify who might have access if at anybody.
-
AstroJeremy 31 Reputation points
2020-07-03T19:42:23.343+00:00 external admin takeover looks promising, and looks like it'd bring in any resources/users/etc in? This might help sort at least some of the separate domains we have. The only issue with the one where the user gets a 403 is i'm not sure there's any domains we control on it, it might just be a "name.onmicrosoft.com" domain. if we don't find anybody else on that domain, I assume we can just have that user leave that domain to leave it be and just work on the ones we know we have control over.