PA-01-L2CriticalEnhanced Security

Eliminate Permanent Global Administrators

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

Permanent Global Admin accounts are always-on attack targets. With PIM, admins activate access only when needed, reducing the attack window from 24/7 to minutes per day. This is a fundamental Zero Trust control.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Zero permanent human Global Administrator assignments
2All Global Admin access is through PIM eligible assignments
3Only emergency access accounts retain permanent Global Admin

Enforcement

Default Mode

Auto-Remediate

Automatically fixes deviations when safe to do so

Auto-Remediation

Available

Converts permanent assignments to PIM eligible with preview and approval

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.