Create an Entra ID User, Assign an E5 License, and Grant Global Administrator Role

New-hire provisioning for privileged accounts is one of the most common — and most sensitive — IT administration workflows. When a new administrator, executive, or power user joins the organization, IT must create their Entra ID identity, provision an Exchange Online mailbox, assign the appropriate Microsoft 365 license (E5 for full security and compliance tooling), and grant the required directory role.

This recipe walks through the end-to-end creation of a fully provisioned Entra ID user with a Microsoft 365 E5 license and the Global Administrator role. Because Global Administrator is the most powerful role in the tenant, this workflow should be reserved for break-glass accounts, founding IT staff, or identity team members — and ideally paired with Privileged Identity Management (PIM) for just-in-time activation.

Run this recipe when: onboarding a new IT administrator, creating a dedicated break-glass account, or provisioning a senior technical user who legitimately requires tenant-wide admin rights and full E5 capabilities (Defender, Purview, Entra ID P2, etc.).

• A new Entra ID user account with displayName, givenName, surname, mailNickname, and userPrincipalName populated
• A secure, randomly generated 16-character initial password with forceChangePasswordNextSignIn enabled
• A Microsoft 365 E5 license assigned (which automatically provisions the Exchange Online mailbox, Teams, SharePoint, OneDrive, Defender, and Purview entitlements)
• Global Administrator directory role membership
• usageLocation set (required for license assignment)
• Verification output confirming account, license, mailbox, and role assignment are all in place

Privileged Role Warnings

• Global Administrator is the highest-privilege role in M365. Microsoft recommends fewer than 5 permanent Global Admins per tenant. Consider assigning a lower-privilege role (User Administrator, Exchange Administrator, etc.) if the user does not need full tenant control.
• Enforce MFA immediately on any newly created Global Admin. A Conditional Access policy requiring MFA for admin roles is strongly recommended before the first sign-in.
• Use PIM for just-in-time activation when possible. Assign the role as eligible rather than active so the user must justify and activate the role for each session.

Licensing Gotchas

• usageLocation must be set on the user before license assignment or the Graph call will fail with a 400 error.
• Confirm prepaid E5 units are available (prepaidUnits.enabled - consumedUnits > 0) before assignment.
• Mailbox provisioning is asynchronous — the mailbox may take 5–15 minutes to become fully usable after license assignment.

Password Handling

• Deliver the initial password out-of-band (e.g., via verified SMS or in person) — never in the same channel as the UPN.
• Always set forceChangePasswordNextSignIn: true so the user sets their own password on first login.