แก้ไข

แชร์ผ่าน


Add and manage admin accounts

Applies to: White circle with a gray X symbol. Workforce tenants Green circle with a white check mark symbol. External tenants (learn more)

In Microsoft Entra External ID, an external tenant represents your directory of consumer and guest accounts. With an administrator role, work and guest accounts can manage the tenant.

Prerequisites

  • If you haven't already created your own Microsoft Entra external tenant, create one now.
  • Understand user accounts in Microsoft Entra External ID.
  • Understand user roles to control resource access.

Add an admin account

To create a new admin account, follow these steps:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Users > All users.

  4. Select New user > Create new user.

  5. On the New user page, under Select template, select Create user.

  6. Under Identity, enter information for this admin:

    • User name. Required. The user name of the new user. For example, mary@contoso.com.
    • Name. Required. The first and last name of the new user. For example, Mary Parker.
    • First name. The first name of the new user. For example, Mary.
    • Last name. The last name of the new user. For example, Parker.
    • Groups. Optional. You can add the user to one or more existing groups. You can also add the user to groups at a later time.
    • Roles: To add administrative permissions for the user, add them to a Microsoft Entra role. You can assign the user to one or more of the administrator roles in Microsoft Entra ID.
    • Settings: Use the yes or no toggle to set Block sign in, and the select the admin's primary location in the Usage location list.
    • Job info: You can add more information about the user here, or do it later.
  7. Copy the autogenerated password provided in the Password box. You'll need to give this password to the admin to sign in for the first time.

  8. Select Create.

The admin is created and added to your external tenant.

Invite an admin (guest account)

You can also invite a new guest user to manage your tenant. To invite an admin, follow these steps:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.

  3. Browse to Identity > Users > All users.

  4. Select New user > Invite external user.

  5. On the New user page, under Select template, select Invite user.

  6. Under Identity, enter information for the admin:

    • Name. Required. The first and last name of the new user. For example, Mary Parker.
    • Email address. Required. The email address of the user you would like to invite.
    • First name. The first name of the new user. For example, Mary.
    • Last name. The last name of the new user. For example, Parker.
    • Personal message: You add a personal message that will be included in the invite email.
    • Groups. Optional. You can add the user to one or more existing groups. You can also add the user to groups at a later time.
    • Roles: To add administrative permissions for the user, add them to a Microsoft Entra role. You can assign the user to one or more of the administrator roles in Microsoft Entra ID.
    • Settings: Use the yes or no toggle to set Block sign in, and the select the admin's primary location in the Usage location list.
    • Job info: You can add more information about the user here, or do it later.
  7. Select Invite.

An invitation email is sent to the user. The user needs to accept the invitation to be able to sign in.

Add a role assignment

You can assign a role when you create a user or invite a guest user. You can add a role, change the role, or remove a role for a user:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to change the roles for. Then select Assigned roles.
  5. Select Add assignments, select the role to assign (for example, Application Administrator), and then choose Add.

Remove a role assignment

If you need to remove a role assignment from a user, follow these steps:

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to change the roles for. Then select Assigned roles.
  5. Select the role you want to remove, for example Application Administrator, and then select Remove assignment.

Review administrator account role assignments

As part of an auditing process, you typically review which users are assigned to specific roles in your customer directory. Use the following steps to audit which users are currently assigned privileged roles.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Roles & admins > Roles & admins.
  4. Select a role, such as User Administrator. The Assignments page lists the users with that role.

Delete an administrator account

To delete an existing user, you must have at least the User Administrator role assignment. Privileged Authentication Administrators can delete any user, including other admins. User Administrators can delete any non-admin user.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Authentication Administrators.
  2. If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
  3. Browse to Identity > Users > All users.
  4. Select the user you want to delete.
  5. Select Delete, and then Yes to confirm the deletion.

The user is deleted and no longer appears on the All users page. The user can be seen on the Deleted users page for the next 30 days and can be restored during that time. For more information about restoring a user, see Restore or remove a recently deleted user using Microsoft Entra ID.

Protect administrative accounts

It's recommended that you protect all administrator accounts with multifactor authentication (MFA) for more security. MFA is an identity verification process during sign in that prompts the user for a one-time passcode.

Microsoft recommends that organizations have two cloud-only emergency access accounts permanently assigned the Global Administrator role. These accounts are highly privileged and aren't assigned to specific individuals. The accounts are limited to emergency or "break glass" scenarios where normal accounts can't be used or all other administrators are accidentally locked out. These accounts should be created following the emergency access account recommendations.