I'm trying to set up a global admin account without assigning it any licenses, since best practices suggest not giving licenses to a global admin. MFA is activated, but I'm running into a problem: without a license, the account can't receive crucial notifications or emails from Microsoft regarding bills or updates. I found some guidance online about setting up a mail contact, but I'm stuck. For my global admin ([email protected]), which has no license, I also have a user account ([email protected]) with a Business Basic license. It seems I can't create a mail contact for the unlicensed admin account, and I can't use it as a rule recipient either. Why is it so complicated for what should be a straightforward process? Any suggestions on how to manage notifications in this scenario?
7 Answers
Don’t forget there's an option in Entra ID that allows a global admin to view all Azure resources, including billing info. That could be worth checking out!
In my case, I just ended up licensing mine. It simplifies everything a lot.
A workaround I use is creating plus addresses. For example, you could set your admin account email to [email protected]. Most email servers ignore everything between the + and the @, so all those emails will still land in your licensed mailbox without any extra hassle.
Are you trying this for your own tenant or a different one? If it’s a different tenant, try using the 'other emails' field; it should still forward to you. And seriously consider enabling + addressing so you can track it better! If it's your own primary tenant, I suggest looking into what MailMaster23 mentioned. I'm planning to do that myself soon!
You might want to consider turning your global admin into a shared mailbox. This way, it can still receive and forward emails through all admin portals without needing direct access, although you'd need to have a licensed user added as a delegate to access it directly.
I had no idea that was an option—thanks for the tip!
I've come to understand that to access volume licensing products, you need billing admin rights. However, we found out that global admins without emails can't view these products. Basically, to see them, you need to have both billing admin privileges and a Microsoft license. I haven't found a different way around this.
You could just make yourself the billing admin. It keeps your exposure limited.
That's a smart solution! Shared mailboxes are super handy, but I get the feeling they'll complicate things with licensing soon—at least that's what my cynical side thinks!