How do we add a second global admin for Azure AD B2C? Do we add them as guest account and assign that guest GA? When adding a normal user, it says we can’t add a dot.state.fl.us email. Should we authorize it, or will that screw up our primary tenant? (Azure AD).
Asked
Active
Viewed 6,389 times
3 Answers
8
You can either create a local (or member) user in your Azure AD B2C directory and/or invite an external (or guest) user from your Azure AD enterprise directory to your Azure AD B2C directory.
To create a member user, select "New user" in the "Users and groups - All users" blade of your Azure AD B2C directory.
(This member user must be created with the domain name of your Azure AD B2C directory.)
To invite a guest user, select "New guest user" in this same blade.
In both cases, you can assign the member or guest user to the Global Administrator role, so that can manage your Azure AD B2C directory.
Chris Padgett
- 14,186
- 1
- 15
- 28
5
@ChrisPadgett is correct. If you wan't to add a second Global administrator from an External Azure Active Directory do it like this:
Switch directory to your Azure AD B2C directory.
Select Users and click on New User. Might work with New guest user as well according to comments but I have not tested this myself.
Use Invite user and fill in the required fields, use an email linked to the External Azure Active Directory.
In Roles select Global administrator and then Invite the email.
After the user then finishes setting up their account you will have two global administrators:
Ogglas
- 62,132
- 37
- 328
- 418
-
I downvoted because I was confused about 'New User' vs 'New Guest User' when adding someone from a "External Azure Active Directory" - but it appears that it doesn't matter at all which one you choose in this case. But now it appears I can't undo my downvote. I've added an edit to clarify, which I think is more correct and would also let me revote. – Ben Dec 02 '20 at 18:16
-
1@Ben Thanks for the clarification! Since I have not tried `New guest user` myself I made an edit saying that it might work to use this. I do not want to say that something does not matter if I have not tried it myself. :) – Ogglas Dec 02 '20 at 20:15
3
Adding to the answer above,
If your original administrator account doesn't have an email address associated with it, you won't get the invite obviously...
The work around is: Ones you invited the external Active Directory user by its username (for example admin@tenant1.com) open the browser and go to https://portal.azure.com/[tenant2].onmicrosoft.com and sign in with the newly invited username and password (not the password from tenant1), you will get a prompt to accept the invite,
Ones done, the user will change from "invited" to "External Azure Active Directory" at which point you can sign in regularly and switch domains from the "Directory + Subscription" tab.
