PA-01Moderate

How to Fix: Limit Global Administrators to 2-4

Step-by-step guide to implement limit global administrators to 2-4 in your Microsoft 365 environment.

See your drift in 5 minutesAuto-remediate PA-01 on your tenant

Free baseline scan · No credit card · 5 minute setup

30-60 minutes

Estimated Time

4

Steps

critical

Severity

Recommended Secure

Baseline Level

Why This Matters

Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Service principals and groups with Global Admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. Microsoft recommends 2-4 permanent Global Admins for most organizations.

Prerequisites

  • 1Global Administrator or appropriate admin role in Microsoft Entra ID
  • 2Access to Microsoft Entra admin center (entra.microsoft.com)
  • 3Privileged Role Administrator role

Expected Configuration

  • Between 2 and 4 principals have the Global Administrator role
  • No single point of failure (minimum 2)
  • Attack surface is minimized (maximum 4)
  • No service principals have Global Administrator (use least-privilege)
  • No groups have Global Administrator (hidden privilege escalation risk)

Remediation Steps

1

Review Current State

Assess your current privileged access configuration in Entra ID.

  • Navigate to Microsoft Entra admin center
  • Go to Identity > Roles and administrators
  • Review current role assignments
2

Plan Changes

Determine what changes need to be made to meet the expected configuration.

  • Identify users with excessive privileges
  • Document required role assignments
  • Plan implementation timeline
3

Implement Configuration

Apply the necessary changes to your Entra ID environment.

  • Configure PIM if applicable
  • Update role assignments
  • Set appropriate access reviews
4

Verify and Test

Confirm the changes are working as expected.

  • Run a TrueConfig scan to verify compliance
  • Test user access with affected accounts
  • Document the changes made

Related Resources

Automate Your Security Configuration

TrueConfig scans your Microsoft 365 environment on a schedule you control and, with safety gates, can fix configuration drift automatically. Start your free trial today.

Start Free Trial