Watch first: If you’d rather see the process in action, hit play on the video above where Paul, your resident Digital Mage at CSP Geeks, walks through every click.
Why spin up a separate admin account?
| Benefit | What it means for you |
|---|---|
| Principle of Least Privilege | Give third-party partners only the exact tools they need—nothing more. |
| Zero license cost | Admin (role-only) accounts don’t eat into your paid seat count. |
| Audit clarity | Actions performed by outside providers are logged under their own identity, making troubleshooting and compliance reviews painless. |
| Easy off-boarding | Disable one account when a contract ends—no sifting through shared passwords or lingering access. |
Before you start
- You must already be a Global Administrator (or have User Administrator + Role Administrator) in the tenant.
- MFA should be enforced on all admin-level accounts—yes, even the freshly minted ones.
- Have a clear list of the roles your partner actually needs (Security Admin, Exchange Admin, etc.). Fewer check-boxes now = fewer headaches later.
Step-by-step: Creating the account
- Log in to the Microsoft 365 Admin Center
Go toadmin.microsoft.comand sign in with an existing admin credential. (If your tenant is brand new, you might be using the default*.onmicrosoft.comdomain.) - Go to
Users▸Active users▸ Add a user
This keeps the interface uncluttered and ensures you’re working with the current roster. - Fill in basic details
Display name and Username can be anything descriptive—e.g.,Rudy SecAdmin. - Set an initial password
- Auto-generate or choose your own.
- Leave “Require this user to change their password on first sign-in” checked.
- Skip product licenses
Select “Create user without a product license.”- The account can’t access services like SharePoint, Teams, or Exchange mailboxes.
- It can sign in to the admin portals you specify next.
- Assign only the necessary roles
- Click “Admin center access” ▸
Show all. - Check (for example) Security Administrator or Cloud App Administrator—whatever your partner truly needs.
- Avoid Global Administrator unless absolutely required.
- Click “Admin center access” ▸
- Review & finish
- Double-check “Unlicensed” and selected roles.
- Save or copy the credentials to share securely with your contractor.
- Hit “Finish adding” and you’re done!
Best practices after creation
- Send credentials out-of-band (e.g., encrypted email + phone call for the temporary password).
- Verify MFA enrollment the first time they log in.
- Set an expiration date for the account in Azure AD if the engagement is time-boxed.
- Monitor the audit log under Compliance ▸ Audit for any unexpected activity.
- Disable or delete the account immediately when work concludes.
Common questions
| Question | Quick answer |
|---|---|
| Does an unlicensed admin account count toward my user total? | It counts as a user object but does not consume a paid license. |
| Can that user access Exchange Online to send mail? | No—mailbox access requires a license. You’d need to grant a separate licensed mailbox or use a shared mailbox. |
| What if my partner needs just one extra portal later? | Edit the user ▸ Roles and tick the additional admin role—no need to recreate the account. |
| Is it safer to use PIM (Privileged Identity Management)? | Absolutely. PIM lets you keep roles “eligible” and approved only when needed—ideal for larger organizations. |
Wrapping up
Creating a dedicated, license-free admin account keeps your tenant secure, auditable, and compliant—while giving external experts exactly the tools they need to help you thrive.
Need help tightening up Microsoft 365 security or delegating administration with zero fuss? CSP Geeks has your back. Drop us a line and we’ll conjure up the right solution.
Cheers,
Paul – Digital Mage, CSP Geeks LLC
