The number of users with highly privileged roles shall be limited
Description
Global Administrator is the highest privileged role in Azure AD because it provides unfettered access to the tenant. Therefore, if a user’s credential with these permissions were to be compromised, it would present grave risks to the security of the tenant. Limit the number of users that are assigned the role of Global Administrator. Assign users to finer-grained administrative roles that they need to perform their duties instead of being assigned the Global Administrator role.
Policy
A minimum of two users and a maximum of four users SHALL be provisioned with the Global Administrator role.
Licensing Considerations
All License models support configuration of roles.
Set Up Instructions
In the Azure Portal, navigate to Azure Active Directory.
Select Roles and administrators.
Select the Global administrator role.
Under Manage, select Assignments.
Validate that between two to four users are listed.
For those who have Azure AD PIM, they will need to check both the Eligible assignments and Active assignments tabs. There should be a total of two to four users across both of these tabs (not individually).
If any groups are listed, need to check how many users are members of each group and include that in the total count.
End-User Impact
Level: Low
Impact is limited to users who have the Global Administrator role. If they do have these roles and you need to reduce the number of admins, you can see what levels of access they require today and give them roles with less permissions.
Tips
Leverage PIM (need Azure AD P2 licensing) to provide eligible assignments for privileged roles vs permanent assignments.
PowerShell Scripts
PowerShell for PIM: PowerShell for Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn
365 Admin Report: Export Office 365 Admin Role Report using PowerShell (o365reports.com)
Videos
Last updated