Add and manage admin accounts

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

In Microsoft Entra External ID, an external tenant represents your directory of consumer and guest accounts. With an administrator role, work and guest accounts can manage the tenant.

Prerequisites

  • If you haven't already created your own Microsoft Entra external tenant, create one now.
  • Understand user accounts in Microsoft Entra External ID.
  • Understand user roles to control resource access.

Add an admin account

Use the following steps to create a new user account and to grant admin permissions to the account by adding a Microsoft Entra role. (Only required steps are described here. For a complete description of all properties, see the Microsoft Entra ID article How to create users.)

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Users > All users.

  4. Select New user > Create new user.

  5. On the Basics tab, under Identity, enter information for this admin:

    • User principal name: Enter a unique username and select a domain from the menu after the @ symbol.
    • Display name: Enter the user's name, such as Chris Green or Chris A. Green.
    • Password: Copy the autogenerated password, or uncheck the Auto-generate password option and enter a different password. You need to give this password to the admin to sign in for the first time.
  6. Select the Assignments tab, and use the following steps to assign a role to the user. (Adding a group is optional).

    • Select + Add role.
    • From the menu that appears, choose up to 20 roles from the list. You can assign the user to one or more of the administrator roles in Microsoft Entra ID.
    • Select the Select button.
  7. Select the Review + create button.

The admin is created and added to your external tenant.

Invite an admin (guest account)

You can also invite a new guest user to manage your tenant. To invite a new guest user with admin permissions, follow these steps:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Users > All users.

  4. Select New user > Invite external user (Preview).

  5. On the Basics tab, enter information for the user:

    • Email. Required. The email address of the user you would like to invite.
    • Display name. The first and last name of the new user. For example, Mary Parker.
    • Under Invitation message:
      • Select the Send invite message checkbox if you want to send the invitation email to the user. Otherwise, clear the checkbox.
      • In Message, add a personal message to include in the invite email.
      • To send a copy of the invitation email to someone, add their email address in the Cc recipient text box.
      • The Invite redirect URL defaults to MyApplications, which is where the user is redirected when they redeem the invitation. You can change it to a different URL.
  6. Select the Assignments tab, and use the following steps to assign a role to the user. (Adding a group is optional).

    • Select + Add role.
    • From the menu that appears, choose up to 20 roles from the list. You can assign the user to one or more of the administrator roles in Microsoft Entra ID.
    • Select the Select button.
  7. Select the Review + invite button.

An invitation email is sent to the user. The user needs to accept the invitation to be able to sign in.

Change or add a role assignment

You can assign a role when you create a user or invite a guest user. You can add a role, change the role, or remove a role for a user:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to change the roles for. Then select Assigned roles.
  5. Select Add assignments, select the role to assign (for example, Application Administrator), and then choose Add.

Remove a role assignment

If you need to remove a role assignment from a user, follow these steps:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to change the roles for. Then select Assigned roles.
  5. Select the role you want to remove, for example Application Administrator, and then select Remove assignment.

Review administrator account role assignments

As part of an auditing process, you typically review which users are assigned to specific roles in your customer directory. Use the following steps to audit which users are currently assigned privileged roles.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Roles & admins > Roles & admins.
  4. Select a role, such as User Administrator. The Assignments page lists the users with that role.

Delete an administrator account

To delete an existing user, you must have at least the User Administrator role assignment. Privileged Authentication Administrators can delete any user, including other admins. User Administrators can delete any non-admin user.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Authentication Administrators.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to delete.
  5. Select Delete, and then Yes to confirm the deletion.

The user is deleted and no longer appears on the All users page. The user can be seen on the Deleted users page for the next 30 days and can be restored during that time. For more information about restoring a user, see Restore or remove a recently deleted user using Microsoft Entra ID.

Protect administrative accounts

We recommended that you protect all administrator accounts with multifactor authentication (MFA) for more security. MFA is an identity verification process during sign in that prompts the user for a one-time passcode.

Microsoft recommends that organizations have two cloud-only emergency access accounts permanently assigned the Global Administrator role. These accounts are highly privileged and aren't assigned to specific individuals. The accounts are limited to emergency or "break glass" scenarios where normal accounts can't be used or all other administrators are accidentally locked out. These accounts should be created following the emergency access account recommendations.