PA-01: Limit Global Administrators to 2-4
Overview
This guide walks you through right-sizing the number of Global Administrators in your Microsoft Entra ID tenant. The goal is to keep between 2 and 4 permanent Global Administrators, remove any service principals or groups that hold the role, and ensure accountability for every remaining assignment.
Why This Matters: Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Service principals and groups with Global Admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. Microsoft recommends 2-4 permanent Global Admins for most organizations.
Control ID: PA-01 Category: Privileged Access Baseline Level: Level 1 (Recommended Secure) Severity: Critical License Required: None Remediation: Advisory / manual review
Expected State
- Between 2 and 4 principals have the Global Administrator role
- No single point of failure (minimum 2)
- Attack surface is minimized (maximum 4)
- No service principals have Global Administrator (use least-privilege)
- No groups have Global Administrator (hidden privilege escalation risk)
Prerequisites
| Requirement | Details |
|---|---|
| Role Required | Global Administrator or Privileged Role Administrator |
| License Required | None (this control works on any Microsoft 365 tenant) |
| Access | Microsoft Entra admin center |
Important: Keep at least 2 Global Administrators at all times, including your emergency access (break-glass) accounts. Never reduce below 2 or you risk locking your organization out of tenant administration.
Time Estimate
20-30 minutes for a typical tenant
- Review current assignments: 10 minutes
- Remove service principals, groups, and unnecessary users: 10-15 minutes
- Verification: 5 minutes
Step-by-Step Instructions
Step 1: Review Current Global Administrator Assignments
- Navigate to entra.microsoft.com
- Go to Identity > Roles & administrators > Roles
- Search for and click Global Administrator
- Click the Assignments tab
Document every principal that holds the role. For each one, record:
- Display name
- Principal type (User, Group, or Service Principal)
- Assignment type (Eligible or Active/Permanent)
Count the total. If you have more than 4, or fewer than 2, or any groups or service principals hold the role, remediation is needed.
Step 2: Identify Your Emergency Access Accounts
Before removing anything, confirm which assignments are your break-glass accounts. These are cloud-only accounts that must retain permanent Global Administrator access to prevent tenant lockout.
- Typical names:
emergency.access.1@yourdomain.onmicrosoft.com,BreakGlass1@yourdomain.onmicrosoft.com - These count toward your 2-4 total and should never be removed here
If you do not yet have emergency access accounts, complete the PA-03: Configure Emergency Access Accounts guide first.
Step 3: Remove Service Principals from Global Administrator
Service principals should not hold Global Administrator. A compromised app credential would grant an attacker full tenant control, and service principals authenticate without MFA.
For each service principal in the assignments list:
- On the Global Administrator > Assignments tab, find the service principal
- Click the ... menu next to it
- Select Remove
- Confirm the removal
Replace Global Admin with least-privilege application permissions scoped to only what the app actually needs (for example specific Microsoft Graph permissions rather than the directory-wide admin role).
Step 4: Remove Groups from Global Administrator
Groups assigned to Global Administrator hide who effectively holds the role and create a hidden privilege-escalation path (anyone who can edit the group can grant themselves admin).
For each group in the assignments list:
- Review the group membership so you know who currently inherits the role
- On the Global Administrator > Assignments tab, click the ... menu next to the group
- Select Remove
- Confirm the removal
- Re-assign the role directly to the individual users who genuinely need it (so each assignment is accountable), keeping within the 2-4 limit
Step 5: Remove Unnecessary User Assignments
If, after removing service principals and groups, you still have more than 4 Global Administrators:
- Review each remaining user against a genuine business need for full tenant control
- For users who do not need Global Admin, assign a least-privilege role instead (for example User Administrator, Security Administrator, or a scoped role) and remove the Global Administrator assignment
- Aim to land between 2 and 4 total permanent Global Administrators
Step 6: Add Global Administrators If Below Minimum
If you have fewer than 2 Global Administrators (a single point of failure):
- Ensure you have at least 2 emergency access accounts configured per PA-03
- Assign the Global Administrator role to a second trusted, dedicated admin account so no single account is your only path to tenant administration
Verification Checklist
- Total Global Administrators is between 2 and 4
- No service principals hold the Global Administrator role
- No groups hold the Global Administrator role
- Every remaining Global Administrator is an individual, accountable user or a documented emergency access account
- At least 2 Global Administrators exist (no single point of failure)
- Users who did not need Global Admin were reassigned to least-privilege roles
Troubleshooting
"I can't remove the last Global Administrator"
This is expected. Microsoft requires at least one Global Administrator at all times. Ensure your emergency access accounts are assigned before removing any other principals, and never drop below 2.
"A service principal needs directory access to function"
It almost never needs full Global Administrator. Identify the specific Microsoft Graph application permissions the app requires and grant those instead. If the app truly needs a directory role, choose the most limited role that covers its task rather than Global Administrator.
"Removing a group broke someone's access"
Group-based Global Admin hides who relied on it. After removing the group, re-assign the Global Administrator role directly to the individual users who genuinely need it, keeping the total within 2-4. This makes each assignment visible and accountable.
"We legitimately need more than 4 admins"
Reassess whether those users need full tenant control or a narrower role. If you operate a large or federated environment, consider just-in-time access instead of permanent assignments (see PA-01-L2 and PA-04 below) rather than growing the permanent Global Admin count.
Cost Considerations
| Component | Cost Impact |
|---|---|
| This control | Free - uses the built-in Microsoft Entra admin center. No license required. |
| Least-privilege roles | Free - reassigning users to narrower built-in roles has no license cost |
This is a no-cost hygiene control. It reduces attack surface and lockout risk without any additional licensing.
Related Controls
- PA-02: Use Dedicated Admin Accounts - Ensure the remaining admins use separate, dedicated admin accounts
- PA-03: Configure Emergency Access Accounts - Keep the break-glass accounts that make up part of your 2-4 minimum
- PA-04: Require PIM for All Privileged Roles - Move remaining privileged access to just-in-time activation
Level 2 escalation: At the Enhanced Security baseline, control PA-01-L2 (Eliminate Permanent Global Administrators) goes further by converting standing Global Admin assignments to PIM-eligible access, so that no human holds permanent Global Admin except emergency accounts. That is a separate Level 2 control (requires Entra ID P2) - this PA-01 control only right-sizes and cleans up the permanent assignments.