PA-01CriticalRecommended Secure

Limit Global Administrators to 2-4

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Microsoft recommends 2-4 permanent Global Admins for most organizations.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Between 2 and 4 users have the Global Administrator role
2No single point of failure (minimum 2)
3Attack surface is minimized (maximum 4)

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Review and adjust Global Administrator assignments manually

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.