Limit Global Administrators to 2-4
Privileged Access control for Microsoft 365 and Entra ID
Why This Control Matters
Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Service principals and groups with Global Admin are especially dangerous - service principals can be compromised via app credentials, and groups hide who actually has the role. Microsoft recommends 2-4 permanent Global Admins for most organizations.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1Between 2 and 4 principals have the Global Administrator role
- 2No single point of failure (minimum 2)
- 3Attack surface is minimized (maximum 4)
- 4No service principals have Global Administrator (use least-privilege)
- 5No groups have Global Administrator (hidden privilege escalation risk)
Enforcement
Alerts on deviations but does not make changes
Review and adjust Global Administrator assignments manually. Remove service principals and groups.
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.