Introduction
Microsoft Azure Entra ID (formerly known as Azure Active Directory) is Microsoft's cloud-based identity and access management service. It helps organizations manage who can access what — from internal apps to cloud resources — and is a foundational skill for any cloud or IT administrator.
In this guide, I'll walk you through:
**1. Creating a new user in Azure Entra ID
- Signing in with the new user account
- Granting Global Administrator access to that user
- Using the promoted account to create a second user
- Revoking the Global Administrator role from the first user ** Let's get started!
Prerequisites
An active Azure subscription (a free account works)
Access to the Azure Portal with an existing admin account
A browser in private/incognito mode (useful for signing in with the new user simultaneously)
Step 1 — Sign In to the Azure Portal
Open your browser and navigate to https://portal.azure.com. Sign in with your existing administrator account.
Once signed in, you'll land on the Azure home dashboard. From here, we'll navigate to Microsoft Entra ID.
In the left sidebar or search bar at the top, type "Microsoft Entra ID" and click on it.
Step 2 — Create the First New User
Inside the Microsoft Entra ID blade, click on "Users" in the left-hand menu under the Manage section.
On the Users page, click "+ New user" at the top of the page, then select "Create new user" from the dropdown.
.
You'll be taken to the Create new user form. Fill in the following fields:
*Field Example Value *
User principal name john.doe@yourdomain.onmicrosoft.com
Display name John Doe
Password Auto-generate or set a temporary password
⚠️ Note: Copy the temporary password — you'll need it to sign in as this user in the next step.
After filling in the details, click "Review + create", then "Create".
Step 3 — Sign In With the Newly Created User Account
Open a private/incognito browser window and navigate to https://portal.azure.com.
Sign in using the new user's credentials:
Username: the user principal name you set (e.g., john.doe@yourdomain.onmicrosoft.com)
Password: the temporary password you copied
You will be prompted to change the password on first login. Set a new permanent password and complete the sign-in process.
The new user has limited access at this point — this is expected. Keep this window open; we'll come back to it.
Step 4 — Grant Global Administrator Access to the First User
Switch back to your original browser window (logged in as your admin account).
In Microsoft Entra ID, navigate to "Users" and search for or click on the user you just created (e.g., John Doe).
On the user's profile page, click "Assigned roles" in the left menu under the Manage section.
Click "+ Add assignments" at the top.
In the search box that appears on the right panel, type "Global Administrator" and check the box next to it.
Click "Add" to confirm.
The first user now has Global Administrator privileges.
Step 5 — Create a Second User Using the Promoted Account
Switch back to the incognito/private browser window where you're signed in as the first user (e.g., John Doe).
⚠️ Note: You may need to refresh the page or sign out and sign back in for the new Global Administrator role to take effect.
After refreshing, navigate to Microsoft Entra ID → Users and click "+ New user" → "Create new user" again.
Fill in the details for the second user:
Field Example Value
User principal name jane.smith@yourdomain.onmicrosoft.com
Display name Jane Smith
Password Auto-generate or set a temporarypassword
Click "Review + create", then "Create".
The second user has been successfully created using the promoted account.
Step 6 — Revoke Global Administrator Access From the First User
Switch back to your original admin browser window.
Navigate to Microsoft Entra ID → Users and select the first user (e.g., John Doe).
Click "Assigned roles" in the left menu.
Click the checkbox next to "Global Administrator" to select it, then click "Remove assignments" (or the trash/remove icon that appears).
Confirm the removal when prompted.
The Global Administrator role has been successfully revoked from the first user.
Key Takeaways
Azure Entra ID is the identity backbone of Microsoft Azure, managing users, groups, and access roles.
Global Administrator is the most powerful role in Azure Entra ID — assign it carefully and always revoke it when it's no longer needed. This follows the principle of least privilege.
Using incognito/private windows is a practical trick for testing multiple user sessions simultaneously without conflict.
Role assignments in Entra ID may take a few seconds to propagate — always refresh after making changes.
Conclusion
Managing identities and access in Azure Entra ID is a critical cloud skill. Through this exercise, we've seen how straightforward it is to create users, elevate their privileges, and — importantly — take those privileges away. Practicing proper access management habits now builds a strong foundation for real-world cloud administration.
If you found this guide helpful, drop a reaction below or share it with a teammate learning Azure!
Top comments (0)