Edit

Add and manage admin accounts

  • Article

In Microsoft Entra ID for customers, a customer tenant represents your directory of consumer and guest accounts. With an administrator role, work and guest accounts can manage the tenant.

Prerequisites

  • If you haven't already created your own Microsoft Entra customer tenant, create one now.
  • Understand user accounts in Microsoft Entra ID for customers.
  • Understand user roles to control resource access.

Add an admin account

To create a new admin account, follow these steps:

  1. Sign in to the Microsoft Entra admin center with Global Administrator or Privileged Role Administrator permissions.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your customer tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Users > All users.

  4. Select New user > Create new user.

  5. Enter information for this admin:

    • User name. Required. The user name of the new user. For example, mary@contoso.com.
    • Name. Required. The first and last name of the new user. For example, Mary Parker.
    • First name. The first name of the new user. For example, Mary.
    • Last name. The last name of the new user. For example, Parker.
    • Groups. Optional. You can add the user to one or more existing groups. You can also add the user to groups at a later time.
    • Roles: To add administrative permissions for the user, add them to a Microsoft Entra role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Microsoft Entra ID.
    • Settings: Use the yes or no toggle to set Block sign in, and the select the admin's primary location in the Usage location list.
    • Job info: You can add more information about the user here, or do it later.

  6. Copy the autogenerated password provided in the Password box. You'll need to give this password to the admin to sign in for the first time.

  7. Select Create.

The admin is created and added to your customer tenant. It's preferable to have at least one admin account native to your customer tenant assigned the Global Administrator role. This account can be considered a break-glass account or emergency access account.

Invite an admin (guest account)

You can also invite a new guest user to manage your tenant. To invite an admin, follow these steps:

  1. Sign in to the Microsoft Entra admin center with Global Administrator or Privileged Role Administrator permissions.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your customer tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Users > All users.

  4. Select New user > Invite external user.

  5. On the New user page, enter information for the admin:

    • Name. Required. The first and last name of the new user. For example, Mary Parker.
    • Email address. Required. The email address of the user you would like to invite.
    • Personal message: You add a personal message that will be included in the invite email.
    • Groups. Optional. You can add the user to one or more existing groups. You can also add the user to groups at a later time.
    • Roles: To add administrative permissions for the user, add them to a Microsoft Entra role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Microsoft Entra ID.
    • Settings: Use the yes or no toggle to set Block sign in, and the select the admin's primary location in the Usage location list.
    • Job info: You can add more information about the user here, or do it later.

  6. Select Invite.

An invitation email is sent to the user. The user needs to accept the invitation to be able to sign in.

Add a role assignment

You can assign a role when you create a user or invite a guest user. You can add a role, change the role, or remove a role for a user:

  1. Sign in to the Microsoft Entra admin center with Global Administrator or Privileged Role Administrator permissions.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your customer tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to change the roles for. Then select Assigned roles.
  5. Select Add assignments, select the role to assign (for example, Application administrator), and then choose Add.

Remove a role assignment

If you need to remove a role assignment from a user, follow these steps:

  1. Sign in to the Microsoft Entra admin center with Global Administrator or Privileged Role Administrator permissions.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your customer tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to change the roles for. Then select Assigned roles.
  5. Select the role you want to remove, for example Application administrator, and then select Remove assignment.

Review administrator account role assignments

As part of an auditing process, you typically review which users are assigned to specific roles in your customer directory. Use the following steps to audit which users are currently assigned privileged roles.

  1. Sign in to the Microsoft Entra admin center with Global Administrator or Privileged Role Administrator permissions.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your customer tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Roles & admins > Roles & admins.
  4. Select a role, such as Global administrator. The Assignments page lists the users with that role.

Delete an administrator account

To delete an existing user, you must have a Global administrator role assignment. Global admins can delete any user, including other admins. User administrators can delete any non-admin user.

  1. Sign in to the Microsoft Entra admin center with Global Administrator or Privileged Role Administrator permissions.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your customer tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to delete.
  5. Select Delete, and then Yes to confirm the deletion.

The user is deleted and no longer appears on the All users page. The user can be seen on the Deleted users page for the next 30 days and can be restored during that time. For more information about restoring a user, see Restore or remove a recently deleted user using Microsoft Entra ID.

Protect administrative accounts

It's recommended that you protect all administrator accounts with multifactor authentication (MFA) for more security. MFA is an identity verification process during sign in that prompts the user for a one-time passcode.