PA-01-L2: Eliminate Permanent Global Administrators

Overview

This guide walks you through converting every permanent (active) Global Administrator assignment into a Privileged Identity Management (PIM) eligible assignment, so that no human account holds standing Global Admin. Admins request and activate the role only when they need it, for a limited window, with justification and optional approval. The only accounts that keep permanent Global Admin are your break-glass emergency access accounts.

Control ID: PA-01-L2 Category: Privileged Access Baseline Level: Level 2 (Enhanced Security) Severity: Critical License Required: Microsoft Entra ID P2 (required for PIM; included in Microsoft 365 E5, EMS E5, or Entra ID P2 standalone)

Why This Matters

Permanent Global Admin accounts are always-on attack targets. With PIM, admins activate access only when needed, reducing the attack window from 24/7 to minutes per day. This is a fundamental Zero Trust control.

A standing Global Administrator credential is valuable to an attacker every hour of every day. Convert those assignments to eligible-only and the credential is dormant for almost the entire day. Even if it is phished, the attacker still has to pass the activation gate (MFA, justification, and any approval you configure) before the role does anything.

Expected State

  • Zero permanent human Global Administrator assignments
  • All Global Admin access is through PIM eligible assignments
  • Only emergency access accounts retain permanent Global Admin

Prerequisites

RequirementDetails
Role RequiredGlobal Administrator or Privileged Role Administrator (to manage PIM role settings and assignments)
License RequiredMicrosoft Entra ID P2 for every user who holds an eligible privileged assignment
AccessMicrosoft Entra admin center (entra.microsoft.com)
Completed PrerequisitesEmergency access (break-glass) accounts must already exist and be verified before you remove any standing access. See PA-03.

Before You Start

  1. Confirm break-glass accounts work. You must be able to sign in with at least one emergency access account that will keep permanent Global Admin. Do not proceed until this is verified.
  2. Inventory current Global Admins. Know exactly who holds the role and why. Some may not need Global Admin at all and should be moved to a least-privilege role instead of made eligible.
  3. Confirm P2 licensing covers each admin who will receive an eligible assignment.

Time Estimate

TaskDuration
Inventory Global Admin assignments15 minutes
Configure PIM role settings for Global Administrator15 minutes
Convert each admin to eligible and remove permanent20-40 minutes
Verify activation and break-glass exclusions15 minutes
Total~1 to 1.5 hours

TrueConfig Remediation

This control is auto-remediable. TrueConfig can convert permanent Global Administrator assignments to PIM eligible assignments for you using the convert_to_eligible action. The remediation shows a preview of exactly which assignments will change and requires your approval before anything is applied, and it leaves your designated emergency access accounts untouched. You can also run the steps below manually if you prefer to drive the change yourself.


Step-by-Step Instructions

Step 1: Inventory Permanent Global Administrator Assignments

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity governance > Privileged Identity Management > Microsoft Entra roles > Roles.
  3. Select Global Administrator.
  4. Review the Active assignments tab. Every human account listed with an assignment type of Permanent is in scope for this control.
  5. Record which accounts are:
    • Real admins who should become eligible
    • Accounts that do not need Global Admin at all (move to a lower-privilege role later)
    • Your emergency access accounts (these stay permanent, do not convert them)

Step 2: Configure Global Administrator Role Settings in PIM

Set sensible activation guardrails before you convert anyone.

  1. In PIM > Microsoft Entra roles > Roles, select Global Administrator.
  2. Click Role settings > Edit.
  3. Recommended activation settings:
SettingRecommendation
Activation maximum duration1 to 4 hours
Require MFA on activationYes (or require phishing-resistant MFA via authentication context)
Require justification on activationYes
Require approval to activateYes for Global Administrator (assign approvers)
Require ticket informationOptional
  1. Click Update.

Step 3: Create an Eligible Assignment for Each Admin

For each admin who should retain access:

  1. In PIM > Microsoft Entra roles > Roles > Global Administrator, open the Eligible assignments tab.
  2. Click + Add assignments.
  3. Select the user.
  4. On the Setting tab, choose Eligible as the assignment type.
  5. Set an assignment start/end (permanently eligible is acceptable; the activation window is what stays short).
  6. Click Assign.

Step 4: Remove the Permanent (Active) Assignment

Once the admin has a working eligible assignment:

  1. Return to the Active assignments tab for Global Administrator.
  2. Locate the user's Permanent active assignment.
  3. Select Remove and confirm.

Repeat Steps 3 and 4 for each in-scope admin. Do not remove the permanent assignment on your emergency access accounts.

Step 5: Have Admins Test Activation

  1. Ask each converted admin to go to PIM > My roles > Microsoft Entra roles.
  2. Under Eligible assignments, click Activate next to Global Administrator.
  3. Complete MFA, enter justification, and submit any approval request.
  4. Confirm the role activates and admin tasks work as expected.

Step 6: Confirm Only Break-Glass Accounts Remain Permanent

  1. Go back to Global Administrator > Active assignments.
  2. The only remaining Permanent assignments should be your emergency access accounts.
  3. Any other permanent human assignment still present has not been converted. Return to Step 3 for that account.

Verification Checklist

  • Emergency access accounts are confirmed working before any change
  • All human admins who need Global Admin have an eligible assignment
  • Every permanent Global Admin assignment for those admins has been removed
  • The only remaining permanent Global Admin assignments are break-glass accounts
  • Global Administrator role settings require MFA, justification, and approval on activation
  • At least one admin has successfully activated the role through PIM
  • Accounts that did not need Global Admin were moved to a lower-privilege role, not made eligible

Troubleshooting

"Admin can no longer perform Global Admin tasks"

The admin still holds the role as eligible but has not activated it. Have them activate through PIM > My roles before performing privileged work. If activation is blocked, check the role settings (approval pending, MFA not registered).

"I removed a permanent assignment and now nobody can approve activations"

Make sure you assigned approvers in the role settings (Step 2) before converting people, and that your break-glass account can still sign in with permanent Global Admin to fix the configuration.

"Some accounts still show permanent after conversion"

Emergency access accounts are expected to stay permanent. For any other account, verify you created the eligible assignment first and then removed the correct Active/Permanent entry, not the eligible one.

"PIM options are greyed out or missing"

PIM requires Microsoft Entra ID P2 on the affected users. Confirm licensing. Also confirm you are signed in with a role that can manage PIM (Global Administrator or Privileged Role Administrator).

"Service or automation account needs standing Global Admin"

Interactive standing Global Admin for automation is a red flag. Move the workload to a service principal with least-privilege application permissions, or use a managed identity. Do not leave a human-style permanent Global Admin in place for automation.


Cost Considerations

ComponentCost Impact
Entra ID P2Required for PIM. Included in Microsoft 365 E5, EMS E5, or available as an Entra ID P2 standalone add-on. Only users with eligible assignments need P2.
OperationalSmall ongoing overhead: admins activate before privileged work, approvers respond to activation requests.
Risk reductionRemoves standing Global Admin as an attack target, which is one of the highest-value hardening steps available.

Note: You do not need P2 for every user in the tenant, only for those holding eligible privileged assignments. Keeping the Global Admin population small (see PA-01) also keeps P2 licensing cost low.


Related Controls

Additional Resources