Hi ,
Welcome to the Support Portal. How can we help?
Follow

Global vs. Primary Administrator

Table of Contents

 

Introduction

In this article we explain the difference between the Global Administrator and the Primary Administrator. What is it? When do we need it? Are there any requirements? How do you make someone administrator? And what is best practise?

More information about Roles & Permissions in Workspace, click here

 

Global Administrator

What is a Global Administrator?

The person who signs up for the Azure Active Directory tenant becomes a Global Administrator. This is a role in Azure AD to manage Azure AD resources in a directory.

A Global Administrator has the following permissions: 

  • Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory.
  • Assign administrator roles to others.
  • Reset the password for any user and all other administrators.

Why do we need a Global Administrator?

This role is needed for the registration of Workspace 365 and creation of the Single Sign-On App Registrations in Azure AD (create Workspace tenants) and to set up the connection to e.g. SharePoint and Exchange.

 

Requirements

Office 365 Global Admin + SharePoint + Exchange – Minimum Office 365 Business Basic. 

Back to top

 

Primary Administrator

What is a Primary Administrator? 

A Primary Administrator is a role in Workspace 365. This person can create and manage all aspects of users and groups, manage the App store and app permissions, configure branding, etc. A Primary Administrator can also reset the password for Workspace 365 (request emergency admin access). 

 

1st, 2nd, 3rd... administrator

You can have multiple administrators in Workspace. Let's say we have 3 Workspace administrators: A1, A2 and A3. The first administrator, A1, is the Primary Administrator. If you do not have access to this account anymore, let's say this account has been deleted or is marked as inactive, the second administrator (A2) will then become the Primary Administrator. A1 is no longer allowed to preform administrative tasks in Workspace.

Back to top

 

How do I make someone administrator ("manage admin role from...")?

You can choose to manage the Workspace 365 admin role from:

  • Azure AD: users assigned with the Global Administrator role (IsAdminFlag) in Azure AD and present (and active) in Workspace 365, will become administrator. When you make use of our Azure AD synctool: users who are assigned the Global Administrator role in Azure AD, will automatically become admin in Workspace. 
  • Workspace 365: active users in Workspace can be marked as administrator. To do this, stop the sync under the Active Directory settings in Workspace. Then, go to User Management (users & groups). Here, you can edit a selected user and make him/her administrator.

Be aware when changing these permissions. For example: when this is set to Azure AD and you change it to Workspace 365, the Workspace no longer checks for the IsAdminFlag in Azure AD. This means only active users marked as administrator in Workspace can administer Workspace 365.

manage_admin_role_afom.PNG

Back to top

 

Difference between the Global Administrator and a Primary Administrator

The Global Administrator is a role within Azure AD. This person has all permissions to administer Workspace 365. There are many administrator roles in Azure AD. For example, one of them is an Application Administrator. This person is also allowed to create SSO App Registrations for Workspace 365 in Azure, but is not allowed to preform e.g. user import. This is why we recommend keeping at least one Global Admin account for your Workspace environment, instead of having multiple user accounts with various administrative roles. 

When Workspace is created, the Global Administrator becomes the Primary Administrator. You could have six Global Administrators (of course not recommended), but there can only be one Primary Administrator. 

Back to top

 

Best practise

In theory, you could remove the Global Administrator role after registration and completing the setup of SSO for Workspace and automatic user import via our Azure AD synctool. However, this is not recommended. We recommend keeping the Global Administrator account active, which is usually the Primary Administrator. Sign in regularly with the Primary Administrator account in Office 365 to prevent the access token from expiring. When expired, you can no longer preform administrative tasks for Workspace 365. 

Back to top