Consequences of deleting the first global administrator account

Tomass Pētersons 336 Reputation points
2022-07-06T21:39:08.587+00:00

Hi,

We currently have three global administrators in our company, one of them is the very first global administrator account that I'm using right now. The other two accounts are synced from on-prem active directory, it looks something like this -
******@ourorg.onmicrosoft.com
******@ourorg.com
******@ourorg.com

Now we have an awkward situation where the admin2 wants to completely remove the very first global administrator account and says I have to use my active directory account by giving the global administrator role to it. Neither me nor admin3 wants to delete this account.

Apart from the argument where Microsoft itself recommends leaving at least one cloud-based global administrator account, what would be other arguments we could give to admin2 to at least convince him not to delete the very first global administrator account? Is there any consequences of deleting the first global admin account? Maybe there is a Microsoft blog or docs article about this topic?

Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,237 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 152.3K Reputation points MVP
    2022-07-06T21:52:43.85+00:00

    Actually you should have at least 2 hosted accounts for emergencies:
    https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

    and the global admin should not an account synced from on-prem as you alluded to.

    You can remove the first account as a GA, but why?if anything, leave it as one of the break glass accounts and create a new one hosted one for yourself that you MFA with

    Also, which accounts are the billing admins? the same as the first GA?

    You can certainly remove that first one, but I see no reason. I would make it a break glass along with another and create a new GA hosted account for yourself protected with MFA.
    Just my two cents :)

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.