Introduction
For many small businesses, Microsoft 365 is the backbone of daily operations—email, files, collaboration, and security all depend on it. At the heart of this system is the Microsoft 365 Global Administrator, the most powerful role in your tenant. But what happens if the person holding that role leaves suddenly or becomes unavailable? Without planning, this scenario can lead to a catastrophic lockout, halting your business operations. This article explains the risk and how to prevent it.
Click open the headers below to learn more about how to protect your IT assets by establishing a second Microsoft 365 Global Administrator to protect your Microsoft 365 tenancy in the event of force majeure. Support options are available for professional assistance.
The Risk of a Single Global Administrator
When you set up Microsoft 365, the first account created becomes the principal global administrator. This account controls everything: user management, licenses, security settings, and more. If that person leaves the company, passes away, or loses access because their account has been hijacked, your organization could face:
- Inability to renew licenses or update billing details
- Locked-out users due to MFA or security blocks
- No way to add or remove accounts or assign roles
This is not just inconvenient—it can catastrophically disrupt your organization’s IT.
Why a Second Global Admin Is Crucial
Microsoft recommends having at least two global administrators. This ensures:
- Business continuity during emergencies
- Shared responsibility for critical changes
- Reduced risk of lockouts caused by lost credentials or MFA issues
Establishing a second Microsoft 365 Global Administrator in your 365 tenancy protects against you against a situation arising that locks you out of server-level administration.
Best Practices for Setting Up a Second Global Administrator
1. Create a second Microsoft 365 global administrator account
- Use a strong password and enable MFA
2. Assign complementary roles
- Billing Administrator
- Privileged Authentication Administrator
- Authentication Policy Administrator
3. Document access and recovery procedures
- Store credentials securely in a password vault
4. Consider a break-glass account
- A highly secured emergency account with no MFA, monitored for unusual activity.
See our second article in this series to learn more about how network administrators can configure a second Microsoft 365 Global Administrator. Intervention in Microsoft 365, Entra, and and other advanced services can cause catastrophic operational problems so we recommend that you contact us for experienced assistance.
Do I need to buy another 365 license?
No. If your second Microsoft global administrator does not have a Microsoft 365 license, it can still perform MFA and manage the tenant. Licensing only affects access to services like Outlook or Teams—not administrative capabilities.
In our experience, most users lose access to their Microsoft, Apple, and Google accounts via breaches that happen as a consequence of email scams. So, a tenancy owner who operates a solitary Microsoft 365 global administrator user which also handles daily email poses a significant risk.
An unlicensed Microsoft 365 account cannot operate email which helps to protect the account from breach. However, without email, a non-licensed Microsoft 365 global administrator account might not see system-level emails. This is usually not an issue in a small business. In larger businesses, an inexpensive Exchange Online license is assigned to professional network administrators.
Summary
A single Microsoft 365 global administrator is a single point of failure. By adding a second global admin and assigning the right roles, you protect your business from catastrophic lockouts and ensure continuity. See our following article in this series to learn how network administrators configure roles like Billing Administrator and Privileged Authentication Administrator to mirror the principal Microsoft 365 global administrator account.
About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.
