A global administrator in Microsoft 365 (also known as an Entra ID global admin) can manage all aspects of your tenant, including user accounts, licenses, and security settings. This role is essential for tasks such as:

• Adding or deleting users
• Resetting passwords
• Assigning licenses
•  Configuring security policies

However, global admin privileges do not automatically include billing or advanced security functions. For example, managing invoices for your tenancy, buying/cancelling licenses, or overriding multifactor authentication (MFA) blocks requires additional separate roles.

Microsoft recommends having at least two global administrators. This ensures:

• Business continuity during emergencies
• Shared responsibility for critical changes
• Reduced risk of lockouts caused by lost credentials or MFA issues

Establishing a second Microsoft 365 Global Administrator in your 365 tenancy protects against you against a situation arising that locks you out of server-level administration.

To fully mirror the capabilities of your principal Microsoft 365 global administrator, assign these additional roles to the second admin:

• Billing Administrator – Manages invoices, payment methods, and subscriptions
• Privileged Authentication Administrator – Overrides MFA and security blocks
• Authentication Policy Administrator – Configures authentication methods and policies
• Service Support Administrator – Opens support tickets with Microsoft

These roles can be assigned in the Microsoft 365 Admin Center or Azure AD (Entra) under Roles and administrators.

No. If a second Microsoft 365 global administrator account does not have a Microsoft 365 license assigned to it, it can still perform MFA authentication. MFA enforcement is identity-based, not license-based. The only limitation is that an unlicensed admin cannot use services like Outlook or Teams. For email alerts and notifications, consider assigning at least an Exchange Online license.

1. Create a second global admin account
2. Assign MFA to both global admins
3. Add complementary roles (Billing, Privileged Authentication, etc.)
4. Document your admin strategy for continuity

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

When you set up Microsoft 365, the first account created becomes the principal global administrator. This account controls everything: user management, licenses, security settings, and more. If that person leaves the company, passes away, or loses access because their account has been hijacked, your organization could face:

• Inability to renew licenses or update billing details
• Locked-out users due to MFA or security blocks
• No way to add or remove accounts or assign roles

This is not just inconvenient—it can catastrophically disrupt your organization’s IT.

Microsoft recommends having at least two global administrators. This ensures:

• Business continuity during emergencies
• Shared responsibility for critical changes
• Reduced risk of lockouts caused by lost credentials or MFA issues

Establishing a second Microsoft 365 Global Administrator in your 365 tenancy protects against you against a situation arising that locks you out of server-level administration.

1. Create a second Microsoft 365 global administrator account

• Use a strong password and enable MFA

2. Assign complementary roles

• Billing Administrator
• Privileged Authentication Administrator
• Authentication Policy Administrator

3. Document access and recovery procedures

• Store credentials securely in a password vault

4. Consider a break-glass account

• A highly secured emergency account with no MFA, monitored for unusual activity.

See our second article in this series to learn more about how network administrators can configure a second Microsoft 365 Global Administrator. Intervention in Microsoft 365, Entra, and and other advanced services can cause catastrophic operational problems so we recommend that you contact us for experienced assistance.

No. If your second Microsoft global administrator does not have a Microsoft 365 license, it can still perform MFA and manage the tenant. Licensing only affects access to services like Outlook or Teams—not administrative capabilities.

In our experience, most users lose access to their Microsoft, Apple, and Google accounts via breaches that happen as a consequence of email scams. So, a tenancy owner who operates a solitary Microsoft 365 global administrator user which also handles daily email poses a significant risk.

An unlicensed Microsoft 365 account cannot operate email which helps to protect the account from breach. However, without email, a non-licensed Microsoft 365 global administrator account might not see system-level emails. This is usually not an issue in a small business. In larger businesses, an inexpensive Exchange Online license is assigned to professional network administrators.

A single Microsoft 365 global administrator is a single point of failure. By adding a second global admin and assigning the right roles, you protect your business from catastrophic lockouts and ensure continuity. See our following article in this series to learn how network administrators configure roles like Billing Administrator and Privileged Authentication Administrator to mirror the principal Microsoft 365 global administrator account.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.