PA-01Moderate

How to Fix: Limit Global Administrators to 2-4

Step-by-step guide to implement limit global administrators to 2-4 in your Microsoft 365 environment.

30-60 minutes

Estimated Time

4

Steps

critical

Severity

Recommended Secure

Baseline Level

Why This Matters

Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Service principals and groups with Global Admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. Microsoft recommends 2-4 permanent Global Admins for most organizations.

Prerequisites

  • 1Global Administrator or appropriate admin role in Microsoft Entra ID
  • 2Access to Microsoft Entra admin center (entra.microsoft.com)
  • 3Privileged Role Administrator role

Expected Configuration

  • Between 2 and 4 principals have the Global Administrator role
  • No single point of failure (minimum 2)
  • Attack surface is minimized (maximum 4)
  • No service principals have Global Administrator (use least-privilege)
  • No groups have Global Administrator (hidden privilege escalation risk)

Remediation Steps

1

Review Current State

Assess your current privileged access configuration in Entra ID.

  • Navigate to Microsoft Entra admin center
  • Go to Identity > Roles and administrators
  • Review current role assignments
2

Plan Changes

Determine what changes need to be made to meet the expected configuration.

  • Identify users with excessive privileges
  • Document required role assignments
  • Plan implementation timeline
3

Implement Configuration

Apply the necessary changes to your Entra ID environment.

  • Configure PIM if applicable
  • Update role assignments
  • Set appropriate access reviews
4

Verify and Test

Confirm the changes are working as expected.

  • Run a TrueConfig scan to verify compliance
  • Test user access with affected accounts
  • Document the changes made

Related Resources

Control Reference

Full control documentation

FAQ

Common questions answered

Full Guide

Detailed implementation guide

Privileged Access Controls

Related security controls

Automate Your Security Configuration

TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.

Start Free Trial
← All ControlsView Control Details →