Unable to change your ArcGIS Online Organization's Default Administrator

Description

When ArcGIS Online Organization administrators are no longer active and are unreachable, privileges must be delegated to a new or existing user. For example, the user named as the current default administrator has separated from their organization but did not delegate administrator permissions to another user before their final day. As a result, current active users are left without the permissions needed to perform the tasks reserved for an administrator.

Cause

ArcGIS Online security responsibilities such as Identity and Access Management are shared by both Esri and the ArcGIS Online Organization owner. Esri provides the necessary tooling and infrastructure to support our customers, but user and role configuration is a customer responsibility. Esri is the data processor, not the data controller for customer owned accounts.

Rather than requesting Esri make changes to ArcGIS Online user accounts such as modifying roles, privileges, or other user attributes, customers must develop processes that ensure that these administration aspects are fully owned internally by members of their business organization.

Solution or Workaround

To maintain the confidentiality, integrity, availability, and privacy of your organizational users and data, it is strongly encouraged that the default administrator invites new members preconfigured as default administrators or assign permissions to manage users to another user in the organization before they become inactive.

A member acting in the default administrator role is required to assign another user membership in an admin role.

The new default administrator can then disable or remove the old default administrators after the previous administrator has officially left the organization. Some organizations may choose to name two default administrator accounts in the organization in case one needs to be replaced due to unexpected circumstances. Various tools highlighted in the Manage Members documentation, such as changing user type and role, inviting a new member, or modifying email addresses, are great ways to update the default administrator. It is important to name at least one active administrator in the Administrative contacts list so that members can inquire about administrative needs and that users are prompted to validate their email addresses so that they receive any administrative notifications.

Leveraging a SAML IDP as the user store is highly recommended. SAML allows organization domain administrators to centrally manage domain accounts. When SAML is leveraged, the password for an existing but inactive or inaccessible default administrator can be changed at the domain/SAML IDP level. This means that even if the only default administrator leaves the organization abruptly, that account is immediately accessible by simply changing the domain account password.

In circumstances where the organization's default administrator is inaccessible and no other default administrators are known to exist, the following options should be considered:

Obtain Access To your Previous Administrator's User Record

1. Start by working with members of your organization to identify if there is another active default administrator by looking through the ArcGIS Online organization member list or reaching out to your department manager, IT department, primary maintenance contact, or primary purchaser.
   Ideally, an administrator will be identified and can update the organization as needed.
• By working with superiors or other groups within the customer's business, it helps to maintain the security and administration policies they have put in place (for example, a superior already set as an organization administrator).
• Esri Technical Support can walk an administrator through steps needed to identify existing admin contacts.

2. If no other administrators are identified, work with your HR department to contact the previous default administrator.
3. If the previous default administrator is not reachable, attempt to access their user record so that you may promote an existing user to the administrator role or invite a new user into the ArcGIS Online organization to assume the administrator role. 
• If your company is utilizing SAML for authentication: Have your SAML IDP administrator update the former ArcGIS Online administrator’s domain password and access the organization under their account. 
• If you have access to your previous administrator’s email and security question answer: Use the Forgot Username and Forgot Password links to determine the username and follow the steps to reset the password for the account.
• If you own the corporate email domain and know the security question answer: Use the steps in the previous bullet point and ask the internal email administrator to intercept emails from “notifications@esri.com”.

Request an Administrator Change with Esri Technical Support

If there aren't any other administrators in your organization and you can't access your previous administrator's user record, Esri Technical Support can upgrade an existing user to default administrator as a last resort. For fastest processing, open a case with Esri Technical Support.

To make the change and preserve the security and integrity of the data in your organization, Esri requires that requests be submitted as a letter from a C-level executive officer or equivalent (for example, your CEO, CIO, CFO, or business owner), including their handwritten signature.

Letter Requirements

• The letter must contain reference to:
  • If updating an ArcGIS Online user's role, include that individual's name, ArcGIS Online username, and email address. An email alias is not accepted. The email address must be specific to an individual, not a group. 
  • Single-User Organizations Only: If requesting someone new, the email address for the new user (always prioritize corporate domain email addresses over third-party addresses like Gmail or Yahoo). An email alias is not accepted. The email address must be specific to an individual not a group. 
• The Esri Technical Support case number associated with this request.
• The subscription number or short URL for the organization.
• Whether this a request to update a current user's role or invite someone new.
• Why the change is necessary.
• Must be provided on Company's official letterhead.
• C-level executive (or equivalent for your organization) or business owner's name, title, and email address. An email alias is not accepted, The email address must be specific to an individual, not a group. 
• C-level executive (or equivalent for your organization) or business owner's signature in ink.

After the letter is completed and signed, scan and email the letter to the Esri Technical Support representative handling your case.

How Your Request Will Be Processed

Once the letter has been received, Esri Technical Support will escalate the request and letter of authorization (LOA) for further review. Upon review and approval, Esri will make the requested change. Additionally, we will notify the requestor and the signing executive via email of this change.

Note: 
Once this process has been completed, it is recommended as a best practice to leverage a SAML IDP, or have more than one default administrator at any given time so that future disruptions are avoided.