Forum Discussion
Former short-term employee added as Billing Admin
Hi everyone,
I’m hoping to get some insight into how this could have occurred and what we should review to prevent it from happening again.
We are a small organization, and we recently discovered that a former employee (who only worked with us for about two weeks) was listed as a Billing Administrator in our Microsoft 365 tenant.
This person is no longer with the company.
Their Microsoft account has already been deleted.
We are a small team with very limited admin roles assigned.
We do not recall intentionally granting them billing-level permissions.
We are trying to understand:
How could a short-term user have been assigned the Billing Administrator role?
Could this have been done automatically through another role assignment (e.g., Global Admin inheritance)?
Is it possible this occurred through a CSP/partner relationship?
Are there logs we should specifically review beyond standard audit logs?
What are best practices to prevent this from happening again in a small tenant?
We are currently reviewing:
Admin role assignments
Audit logs
Partner relationships
MFA enforcement for all admins
If anyone has seen something similar or can suggest specific logs, settings, or controls we should review, I would really appreciate the guidance.
Thanks in advance for your help.
1 Reply
A Former short-term employee could appear as a Billing Administrator in Microsoft 365 if the role was explicitly assigned, inherited through Global Admin privileges, or granted via a Cloud Solution Provider (CSP) partner relationship. To prevent recurrence, you should audit admin role assignments, review partner access, and enforce strict least-privilege and MFA policies.
https://learn.microsoft.com/en-us/purview/audit-log-activities
https://learn.microsoft.com/en-us/microsoft-365/admin/misc/add-partner?view=o365-worldwide
