Global vs. Primary Administrator
Table of Contents
- Global Administrator
- Primary Administrator
- Difference between the Global Administrator and a Primary Administrator
- Best practise
In this article we explain the difference between the Global Administrator and the Primary Administrator. What is it? When do we need it? Are there any requirements and so on.
What is a Global Administrator?
The person who signs up for the Azure Active Directory tenant becomes a Global Administrator. This is a role in Azure AD to manage Azure AD resources in a directory.
What can it do?
A Global Administrator has the following permissions:
- Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory.
- Assign administrator roles to others.
- Reset the password for any user and all other administrators.
This role is needed for the registration of Workspace 365 and creation of the Single Sign-On App Registrations in Azure AD (create Workspace tenants) and to set up the connection to e.g. SharePoint and Exchange.
Do I need to remain access to this account?
In theory, you could remove the Global Administrator role after registration and completing the setup of SSO for Workspace and automatic user import via our Azure AD synctool.
However, we strongly recommend keeping the Global Administrator account active (which is usually the Primary Administrator) and to remain access to this account. In other words, store the user's credentials on a secure place and do not remove the account from your AAD.
Keep the access token alive!
Sign into Workspace 365 regularly to prevent the access token from expiring, otherwise you can no longer preform administrative tasks for Workspace 365.
Office 365 Global Admin + SharePoint + Exchange – Minimum Office 365 Business Basic.
What is a Primary Administrator?
A Primary Administrator is a role in Workspace 365. This person can create and manage all aspects of users and groups, manage the App store and app permissions, configure branding (just like any other administrator).
However, a Primary Administrator is the only one who can request emergency admin access.
1st, 2nd, 3rd... administrator
You can have multiple administrators in Workspace. Let's say we have 3 Workspace administrators: A1, A2 and A3. The first administrator, A1, is the Primary Administrator. If you do not have access to this account anymore, let's say this account has been deleted or is marked as inactive, the second administrator (A2) will then become the Primary Administrator. A1 is no longer allowed to preform administrative tasks in Workspace.
Difference between the Global Administrator and a Primary Administrator
The Global Administrator is a role within Azure AD. This person has all permissions to administer Workspace 365. There are many administrator roles in Azure AD. For example, one of them is an Application Administrator. This person is also allowed to create SSO App Registrations for Workspace 365 in Azure, but is not allowed to preform e.g. user import. This is why we recommend keeping at least one Global Admin account for your Workspace environment, instead of having multiple user accounts with various administrative roles.
When Workspace is created, the Global Administrator becomes the Primary Administrator. You can have six Global Administrators (of course not recommended), but there can only be one Primary Administrator.