There are relatively few administrative tasks, such as assigning roles to user accounts, that require global administrator privileges. Therefore, instead of using everyday user accounts that have been assigned the global admin role, do these steps:
Determine the set of user accounts that have been assigned the global admin role. You can do this with the following Azure Active (Azure AD) Directory PowerShell for Graph command:
PowerShell
Copy
Get-AzureADDirectoryRole | where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName
Sign into your Microsoft 365 subscription with a user account that has been assigned the global admin role.
Create up to a maximum of four dedicated global administrator user accounts. Use strong passwords at least 12 characters long. See Create a strong password for more information. Store the passwords for the new accounts in a secure location.
Assign the global admin role to each of the new dedicated global administrator user accounts.
Sign out of Microsoft 365.
Sign in with one of the new dedicated global administrator user accounts.
For each existing user account that had been assigned the global admin role from step 1:
Remove the global admin role.
Assign admin roles to the account that are appropriate to that user's job function and responsibility. For more information about various admin roles in Microsoft 365, see About admin roles.
Sign out of Microsoft 365.
Admin
Apps4Rent
