How to delete a global administrator in Azure “Cloud Identity” but keep the Office 365 administration account and vice versa?

0
votes

We have an Office 365 directory with an administrator that is linked to our Azure subscription. The account in the azure subscription is a global administrator. When that account was deleted and re-created from the office 365 portal, the administrator in the azure subscription still existed as a global administrator in the ARM portal with no permissions. The account could not log into the classic portal. Azure and O365 should be using the same directory? We are concerned with the remnant configuration in the ARM portal.

How do you remove the administrator from the Azure Subscription without removing them from the O365 and vice versa?

Note: When using Get-MsolUser as "Company administrator" the user was returned even after they were deleted from O365 portal.

1
azureactive-directoryoffice365

1 Answers

0
votes

Users get access to the Classic Portal by being either a Service Admin or Co-Admin on the subscription. This user seems to be neither now.

The new Portal bases its access on role-based access control. Anyone in an Azure Active Directory can log in to the new Portal. What they can do depends on their roles on subscriptions/resource groups/resources. If the admin has no role in any subscription, any resource group, or any resource, they can't see or do anything in that subscription.

Even if they are Global Admin on the directory does not give them any access to the subscription.