PA-01: Limit Global Administrators to 2-4

PA-01 is a security control that global administrators have unrestricted access to your entire tenant. too many increases your attack surface; too few risks lockout. service principals and groups with global admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. microsoft recommends 2-4 permanent global admins for most organizations. It requires that between 2 and 4 principals have the global administrator role and no single point of failure (minimum 2), attack surface is minimized (maximum 4), no service principals have global administrator (use least-privilege), no groups have global administrator (hidden privilege escalation risk).

Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Service principals and groups with Global Admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. Microsoft recommends 2-4 permanent Global Admins for most organizations.

PA-01 requires manual implementation. Review and adjust Global Administrator assignments manually. Remove service principals and groups.

This control can be implemented with any Microsoft 365 subscription, including free Azure AD.

PA-01 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.

PA-01 is rated critical because failure to implement this control significantly increases the risk of security incidents. Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Service principals and groups with Global Admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. Microsoft recommends 2-4 permanent Global Admins for most organizations.