๐ Recipe ยท Entra ID & Identity
Assign the Global Administrator Role to a User in Entra ID
Grant tenant-wide admin rights by activating the Global Administrator directory role and adding a member
Complexity
Intermediate
Impact
high-privilege + tenant-wide + security-sensitive + audit-logged
Context
Why This Matters
The Global Administrator role is the highest-privilege role in Microsoft Entra ID. It grants full control over every aspect of Entra ID and any Microsoft 365 service that uses Entra identities โ including billing, security, Exchange, SharePoint, Teams, and Intune.
You'll run this recipe when onboarding a new senior IT admin, standing up a break-glass emergency access account, or temporarily elevating a trusted engineer for a tenant-level task. Because the blast radius is enormous, Microsoft recommends keeping the number of permanent Global Admins to fewer than five and using Privileged Identity Management (PIM) for just-in-time elevation wherever possible.
Before assigning, always confirm the user's identity โ typos or ambiguous display names can lead to granting tenant-wide control to the wrong account. If a directory search returns no results, verify the exact User Principal Name (UPN) with the requester rather than guessing.
Expected Outcomes
After completing this recipe you will have:
- Verified the target user exists and is the correct identity (by UPN, not just display name).
- Activated the
Global Administratordirectory role in the tenant (if not already active). - Added the user as a member of the Global Administrator role.
- Confirmed the assignment by listing role members or inspecting the user's
memberOfcollection. - An audit trail entry in Entra ID sign-in and audit logs recording who performed the elevation and when.
Risks & Considerations
โ ๏ธ High-risk operation
- Tenant-wide control. A Global Admin can read all data, reset any password, delete any user, and modify tenant configuration. Treat this like handing over the keys to the kingdom.
- Limit count. Microsoft recommends no more than 5 permanent Global Admins. Prefer PIM eligible assignments over permanent active assignments.
- MFA required. Ensure the target account has strong, phishing-resistant MFA (FIDO2 or Windows Hello for Business) registered before elevation.
- Conditional Access. Confirm admin accounts are covered by a Conditional Access policy that enforces MFA and blocks legacy auth.
- Break-glass separation. Do not use day-to-day user accounts for Global Admin. Create a dedicated admin-only UPN (e.g.
admin-firstname@tenant.onmicrosoft.com). - Disambiguate users. If a search returns zero or multiple results, stop and confirm the UPN with the requester. Never assume which account is meant.
- Licensing. Global Admin itself is free, but the account still needs appropriate licenses to use services.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| RoleManagement.ReadWrite.Directory | Required to activate directory roles and add members to them via Microsoft Graph. |
| User.Read.All | Required to look up the target user by display name or UPN before assignment. |
| Directory.Read.All | Required to list active directory roles and confirm the Global Administrator role template. |
| Privileged Role Administrator (or Global Administrator) | The admin running the assignment must hold one of these roles โ only these roles can assign Global Administrator. |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin