🛡️ Microsoft Entra ID Global Administrator Role assigned to more than 4 users🟢⚪

• Contextual name: 🛡️ Global Administrator Role assigned to more than 4 users🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/global-administrator-role-assigned-to-more-than-4-users
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access.

Rationale

The Global Administrator role has extensive privileges across all services in Microsoft Entra ID. The Global Administrator role should never be used in regular daily activities; administrators should have a regular user account for daily activities, and a separate account for administrative responsibilities. Limiting the number of Global Administrators helps mitigate the risk of unauthorized access, reduces the potential impact of human error, and aligns with the principle of least privilege to reduce the attack surface of an Azure tenant. Conversely, having at least two Global Administrators ensures that administrative functions can be performed without interruption in case of unavailability of a single admin.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. From Azure Home select the Portal Menu.
2. Select Microsoft Entra ID.
3. Under Manage, select Roles and administrators.
4. Under Administrative Roles, select Global Administrator.

If more than 4 users are assigned

1. Remove Global Administrator role for users which do not or no longer require the role.
2. Assign Global Administrator role via PIM which can be activated when required.
3. Assign more granular roles to users to conduct their duties.

If only one user is assigned

1. Provide the Global Administrator role to a trusted user or create a break glass admin account.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v2.1.0 → 💼 1.25 Ensure fewer than 5 users have global administrator assignment - Level 1 (Manual)			1		no data
💼 CIS Azure v3.0.0 → 💼 2.26 Ensure fewer than 5 users have global administrator assignment (Manual)			1		no data
💼 CIS Azure v4.0.0 → 💼 6.26 Ensure fewer than 5 users have global administrator assignment (Manual)			1		no data
💼 Cloudaware Framework → 💼 Role-Based Access Control (RBAC) Management			13		no data