Share via

Admin console account in Microsoft Azure

Harith Rizqi 240 Reputation points
2026-02-21T12:41:34.8766667+00:00

I am trying to create a new administrative account to manage our Azure tenant. I need this user to have full access to the Azure Portal and Microsoft Entra admin center.

  • Current Access Level: Project Owner
  • Directory Type: Microsoft Entra ID (Standard/Free/P1/P2) Navigated to Microsoft Entra ID > Users.
  1. Created a new user account.
  2. I am unsure how to properly assign the "Global Administrator" role without causing security risks like bypassing MFA.

Is it best practice to use a "Cloud-only" account for the Global Admin instead of a synced on-premises account?

  1. Is it best practice to use a "Cloud-only" account for the Global Admin instead of a synced on-premises account?
  2. How do I ensure this account is a "Break-glass" account in case of MFA failure?
    1. Create the User

Sign in to the Azure Portal or Entra Admin Center.

Go to Users > All users > New user > Create new user.

Fill in the User principal name (e.g., ******@yourdomain.onmicrosoft.com).

2. Assign the Admin Role

After creating the user, select their name from the list.

Click Assigned roles in the left sidebar.

Click Add assignments.

Search for Global Administrator and select it.

Note: If you only need them to manage specific resources, consider "User Administrator" or "Billing Administrator" to follow the Principle of Least Privilege.

3. Enforce Security

Azure now requires MFA (Multi-Factor Authentication) for all administrative accounts.

  • Ensure the new admin sets up the Microsoft Authenticator app on their first login.

    1. Create the User

    1. Sign in to the Azure Portal or Entra Admin Center.
    2. Go to Users > All users > New user > Create new user.
    3. Fill in the User principal name (e.g., ******@yourdomain.onmicrosoft.com).

    2. Assign the Admin Role

    1. After creating the user, select their name from the list.
    2. Click Assigned roles in the left sidebar.
    3. Click Add assignments.
    4. Search for Global Administrator and select it.
      • Note: If you only need them to manage specific resources, consider "User Administrator" or "Billing Administrator" to follow the Principle of Least Privilege.

    3. Enforce Security

    Azure now requires MFA (Multi-Factor Authentication) for all administrative accounts.
    • Ensure the new admin sets up the Microsoft Authenticator app on their first login.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-02-21T12:41:51.23+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To create a new administrative account in Microsoft Entra ID and assign the Global Administrator role while ensuring security, follow these best practices:

    1. Use a Cloud-only Account: It is generally recommended to use a cloud-only account for the Global Administrator role instead of a synced on-premises account. This helps in reducing potential security risks associated with on-premises accounts and ensures that the account is managed entirely within the cloud environment.
    2. Assigning the Global Administrator Role: After creating the user account, you can assign the Global Administrator role by navigating to the user’s profile, selecting "Assigned roles," and then adding the Global Administrator role. However, be mindful of the principle of least privilege; if the user only needs to manage specific resources, consider assigning a less privileged role such as User Administrator or Billing Administrator.
    3. Break-Glass Account: To ensure that the Global Administrator account serves as a break-glass account in case of MFA failure, you should:
      • Create the account with a unique username and password.
      • Ensure that this account is not used for regular administrative tasks to minimize exposure.
      • Keep the account credentials secure and accessible only to trusted personnel.
      • Consider not enforcing MFA on this account, but ensure it is monitored and used only in emergencies.
    4. Enforce MFA: For all administrative accounts, including the Global Administrator, it is crucial to enforce Multi-Factor Authentication (MFA). Make sure the new admin sets up the Microsoft Authenticator app during their first login to enhance security.

    By following these guidelines, you can create a secure administrative account that has the necessary access while minimizing potential security risks.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.