> For the complete documentation index, see [llms.txt](https://docs.tminus365.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.tminus365.com/security/azure-ad-entra/the-number-of-users-with-highly-privileged-roles-shall-be-limited.md).

# The number of users with highly privileged roles shall be limited

## Description

Global Administrator is the highest privileged role in Azure AD because it provides unfettered access to the tenant. Therefore, if a user’s credential with these permissions were to be compromised, it would present grave risks to the security of the tenant. Limit the number of users that are assigned the role of Global Administrator. Assign users to finer-grained administrative roles that they need to perform their duties instead of being assigned the Global Administrator role.

## Policy

* A minimum of two users and a maximum of four users SHALL be provisioned with the Global Administrator role.

## Licensing Considerations

All License models support configuration of roles.

## Set Up Instructions

1. In the Azure Portal, navigate to **Azure Active Directory.**
2. Select **Roles and administrators.**
3. Select the **Global administrator role.**
4. Under Manage, select **Assignments.**
5. Validate that between two to four users are listed.
   1. For those who have Azure AD PIM, they will need to check both the Eligible assignments and Active assignments tabs. There should be a total of two to four users across both of these tabs (not individually).
   2. If any groups are listed, need to check how many users are members of each group and include that in the total count.

## End-User Impact

{% hint style="info" %}
Level: <mark style="color:green;">Low</mark>
{% endhint %}

Impact is limited to users who have the Global Administrator role. If they do have these roles and you need to reduce the number of admins, you can see what levels of access they require today and give them roles with less permissions.

{% hint style="info" %}
Tips

Leverage PIM (need Azure AD P2 licensing) to provide eligible assignments for privileged roles vs permanent assignments.
{% endhint %}

## PowerShell Scripts

PowerShell for PIM: [PowerShell for Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn](https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles)

365 Admin Report: [Export Office 365 Admin Role Report using PowerShell (o365reports.com)](https://o365reports.com/2021/03/02/Export-Office-365-admin-role-report-powershell/)

## Videos

{% embed url="<https://www.youtube.com/watch?v=JyA2bMeWw5o>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.tminus365.com/security/azure-ad-entra/the-number-of-users-with-highly-privileged-roles-shall-be-limited.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.