Office365 dual admin for certain users

%3CLINGO-SUB%20id%3D%22lingo-sub-1601828%22%20slang%3D%22en-US%22%3EOffice365%20dual%20admin%20for%20certain%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601828%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20recently%20our%20finance%20guy%20want%20to%20make%20sure%20their%20email%20can't%20be%20hack%20(reset%20password)%20by%20IT%20guy.%20Is%20there%20any%20way%20to%20archive%20this%20as%20the%20super%20admin%20on%20our%20office365%20is%20the%20IT%20guy.%20I'm%20thinking%20if%20there's%20an%20option%20to%20have%202%20admin%20key%20to%20reset%20certain%20%22vip%22%20users%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1601828%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1601878%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20dual%20admin%20for%20certain%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601878%22%20slang%3D%22en-US%22%3EThere%20are%20relatively%20few%20administrative%20tasks%2C%20such%20as%20assigning%20roles%20to%20user%20accounts%2C%20that%20require%20global%20administrator%20privileges.%20Therefore%2C%20instead%20of%20using%20everyday%20user%20accounts%20that%20have%20been%20assigned%20the%20global%20admin%20role%2C%20do%20these%20steps%3A%3CBR%20%2F%3E%3CBR%20%2F%3EDetermine%20the%20set%20of%20user%20accounts%20that%20have%20been%20assigned%20the%20global%20admin%20role.%20You%20can%20do%20this%20with%20Azure%20Active%20(Azure%20AD)%20Directory%20PowerShell%20for%20Graph%20command%3A%3CBR%20%2F%3EPowerShell%3CBR%20%2F%3E%3CBR%20%2F%3ECopy%3CBR%20%2F%3EGet-AzureADDirectoryRole%20%7C%20where%20%7B%20%24_.DisplayName%20-eq%20%22Company%20Administrator%22%20%7D%20%7C%20Get-AzureADDirectoryRoleMember%20%7C%20Ft%20DisplayName%3CBR%20%2F%3ESign%20into%20your%20Microsoft%20365%20subscription%20with%20a%20user%20account%20that%20has%20been%20assigned%20the%20global%20admin%20role.%3CBR%20%2F%3E%3CBR%20%2F%3ECreate%20up%20to%20a%20maximum%20of%20four%20dedicated%20global%20administrator%20user%20accounts.%20Use%20strong%20passwords%20at%20least%2012%20characters%20long.%20See%20Create%20a%20strong%20password%20for%20more%20information.%20Store%20the%20passwords%20for%20the%20new%20accounts%20in%20a%20secure%20location.%3CBR%20%2F%3E%3CBR%20%2F%3EAssign%20the%20global%20admin%20role%20to%20each%20of%20the%20new%20dedicated%20global%20administrator%20user%20accounts.%3CBR%20%2F%3E%3CBR%20%2F%3ESign%20out%20of%20Microsoft%20365.%3CBR%20%2F%3E%3CBR%20%2F%3ESign%20in%20with%20one%20of%20the%20new%20dedicated%20global%20administrator%20user%20accounts.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20each%20existing%20user%20account%20that%20had%20been%20assigned%20the%20global%20admin%20role%20from%20step%201%3A%3CBR%20%2F%3E%3CBR%20%2F%3ERemove%20the%20global%20admin%20role.%3CBR%20%2F%3E%3CBR%20%2F%3EAssign%20admin%20roles%20to%20the%20account%20that%20are%20appropriate%20to%20that%20user's%20job%20function%20and%20responsibility.%20For%20more%20information%20about%20various%20admin%20roles%20in%20Microsoft%20365%2C%20see%20About%20admin%20roles.%3CBR%20%2F%3E%3CBR%20%2F%3ESign%20out%20of%20Microsoft%20365.%3CBR%20%2F%3EThe%20result%20should%20be%3A%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20only%20user%20accounts%20in%20your%20subscription%20that%20have%20the%20global%20admin%20role%20are%20the%20new%20set%20of%20dedicated%20global%20administrator%20accounts.%20Verify%20this%20with%20the%20following%20PowerShell%20command%3A%3CBR%20%2F%3E%3CBR%20%2F%3EPowerShell%3CBR%20%2F%3E%3CBR%20%2F%3ECopy%3CBR%20%2F%3EGet-AzureADDirectoryRole%20%7C%20where%20%7B%20%24_.DisplayName%20-eq%20%22Company%20Administrator%22%20%7D%20%7C%20Get-AzureADDirectoryRoleMember%20%7C%20Ft%20DisplayName%3CBR%20%2F%3EAll%20other%20everyday%20user%20accounts%20that%20manage%20your%20subscription%20have%20admin%20roles%20assigned%20that%20are%20associated%20with%20their%20job%20responsibilities.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, recently our finance guy want to make sure their email can't be hack (reset password) by IT guy. Is there any way to archive this as the super admin on our office365 is the IT guy. I'm thinking if there's an option to have 2 admin key to reset certain "vip" users here.

1 Reply
There are relatively few administrative tasks, such as assigning roles to user accounts, that require global administrator privileges. Therefore, instead of using everyday user accounts that have been assigned the global admin role, do these steps:

Determine the set of user accounts that have been assigned the global admin role. You can do this with Azure Active (Azure AD) Directory PowerShell for Graph command:
PowerShell

Copy
Get-AzureADDirectoryRole | where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName
Sign into your Microsoft 365 subscription with a user account that has been assigned the global admin role.

Create up to a maximum of four dedicated global administrator user accounts. Use strong passwords at least 12 characters long. See Create a strong password for more information. Store the passwords for the new accounts in a secure location.

Assign the global admin role to each of the new dedicated global administrator user accounts.

Sign out of Microsoft 365.

Sign in with one of the new dedicated global administrator user accounts.

For each existing user account that had been assigned the global admin role from step 1:

Remove the global admin role.

Assign admin roles to the account that are appropriate to that user's job function and responsibility. For more information about various admin roles in Microsoft 365, see About admin roles.

Sign out of Microsoft 365.
The result should be:

The only user accounts in your subscription that have the global admin role are the new set of dedicated global administrator accounts. Verify this with the following PowerShell command:

PowerShell

Copy
Get-AzureADDirectoryRole | where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName
All other everyday user accounts that manage your subscription have admin roles assigned that are associated with their job responsibilities.