Hi ,
Welcome to the Support Portal. How can we help?

Global vs. Primary Administrator

Table of Contents



In this article we explain the difference between the Global Administrator and the Primary Administrator. What is it? When do we need it? Are there any requirements and so on.

For more information about Roles & Permissions in Workspace, click here


Global Administrator

What is a Global Administrator?

The person who signs up for the Azure Active Directory tenant becomes a Global Administrator. This is a role in Azure AD to manage Azure AD resources in a directory.


What can it do? 

A Global Administrator has the following permissions:

  • Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory.
  • Assign administrator roles to others.
  • Reset the password for any user and all other administrators.

This role is needed for the registration of Workspace 365 and creation of the Single Sign-On App Registrations in Azure AD (create Workspace tenants) and to set up the connection to e.g. SharePoint and Exchange.


Do I need to remain access to this account?

In theory, you could remove the Global Administrator role after registration and completing the setup of SSO for Workspace and automatic user import via our Azure AD synctool.

However, we strongly recommend keeping the Global Administrator account active (which is usually the Primary Administrator) and to remain access to this account. In other words, store the user's credentials on a secure place and do not remove the account from your AAD.


Keep the access token alive!

Sign into Workspace 365 regularly to prevent the access token from expiring, otherwise you can no longer perform administrative tasks for Workspace 365.



Office 365 Global Admin + SharePoint + Exchange – Minimum Office 365 Business Basic. 

Back to top


Primary Administrator

What is a Primary Administrator? 

A Primary Administrator is a role in Workspace 365. This person can create and manage all aspects of users and groups, manage the App store and app permissions, configure branding (just like any other administrator).

However, a Primary Administrator is the only one who can request emergency admin access


1st, 2nd, 3rd... administrator

You can have multiple administrators in Workspace. Let's say we have 3 Workspace administrators: A1, A2 and A3. The first administrator, A1, is the Primary Administrator. If you do not have access to this account anymore, let's say this account has been deleted or is marked as inactive, the second administrator (A2) will then become the Primary Administrator. A1 is no longer allowed to perform administrative tasks in Workspace.

Back to top


Difference between the Global Administrator and a Primary Administrator

The Global Administrator is a role within Azure AD. This person has all permissions to administer Workspace 365. There are many administrator roles in Azure AD. For example, one of them is an Application Administrator. This person is also allowed to create SSO App Registrations for Workspace 365 in Azure, but is not allowed to perform e.g. user import. This is why we recommend keeping at least one Global Admin account for your Workspace environment, instead of having multiple user accounts with various administrative roles. 

When Workspace is created, the Global Administrator becomes the Primary Administrator. You can have six Global Administrators (of course not recommended), but there can only be one Primary Administrator. 

Back to top