Add an admin account

In Microsoft Entra External ID, a customer tenant represents your directory of consumer and guest accounts. With an administrator role, work and guest accounts can manage the tenant.

Prerequisites

Before you start make sure you have configured the following:
  1. Create a tenant

To add an admin account, sign in to the Microsoft Entra admin center with Global Administrator or Privileged Role Administrator permissions and browse to Identity > Users > All users. Then, select New user > Create new user.

On the Create new user page, under basics, enter information for this admin: User principal name (Required). The user name of the new user. For example, emily@woodgrovelive.com. Eneter a Name. Copy the autogenerated password provided in the Password box. You'll need to give this password to the admin to sign in for the first time.

Under Properties, you can also enter a First name and Last name along with some other properties.

To add administrative permissions for the user, add them to a Microsoft Entra role. You can assign the user to be a Global Administrator or one or more of the limited administrator roles in Microsoft Entra ID. Under Assignments, and select Add role. Then, find the role you want to add, and choose Select.

To create the account, select Create.

Dependencies

This script is self-contained.

1. Create a user

To create a user, use the following Microsoft Graph and replace:
  • {DisplayName} with the user display name.
  • {MailNickname} with a mail alias for the user. This property must be specified when a user is created.
  • {UserPrincipalName} with the principal name (UPN) of the user. The general format is alias@domain, where the domain must be present in the tenant's collection of verified domains.
  • {Password} with a temporary password that you will share with the user. During the first sign-in, the user will be asked to change their password.
POST https://graph.microsoft.com/v1.0/users
Connect-MgGraph -Scopes "User.ReadWrite.All" 
{
    "accountEnabled": true,
    "displayName": "{DisplayName}",
    "mailNickname": "{MailNickname}",
    "userPrincipalName": "{UserPrincipalName}",
    "passwordProfile": {
        "forceChangePasswordNextSignIn": true,
        "password": "{Password}"
    }
}

New-MgBetaUser -BodyParameter $params
 


The following example shows how to create a new user account for Adele Vance.
POST https://graph.microsoft.com/v1.0/users 
{
    "accountEnabled": true,
    "displayName": "Adele Vance",
    "mailNickname": "AdeleV",
    "userPrincipalName": "AdeleV@woodgrove.onmicrosoft.com",
    "passwordProfile": {
        "forceChangePasswordNextSignIn": true,
        "password": "xWwvJ]6NMw+bWH-d"
    }
}
New-MgBetaUser -BodyParameter $params
 

1.1 Copy the user ID
From the response, copy the value of the id. For example: 
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "id": "11111111-0000-0000-0000-000000000000",
    ...
}
DisplayName Id UserPrincipalName
Adele Vance 11111111-0000-0000-0000-000000000000 AdeleV@woodgrove.onmicrosoft.com

2. Assign admin role

After the new user is created, create a (unified) role assignment. In the following Graph, replace the:

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory" 
{
    "principalId": "{user-id}",
    "roleDefinitionId": "{role-id}",
    "directoryScopeId": "/"
}
New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params
 


The following example assigns the Global Administrator role to Adele Vance
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments 
{
    "principalId": "11111111-0000-0000-0000-000000000000",
    "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
    "directoryScopeId": "/"
}

New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params
Loading...
Comming soon