Roles

Administrative roles and permissions

6 findings in this category.

• High Excessive Global Administrators Checks for too many Global Administrator accounts (best practice: 2-4)
• Critical Global Admin synced from on-premises Identifies Global Administrators whose accounts are synchronized from on-premises Active Directory.
• High Global Admin with productivity license Identifies Global Administrators that also hold productivity licenses (mailbox, Teams, SharePoint).
• Critical Missing break-glass accounts The tenant has fewer than two cloud-only Global Administrators dedicated as emergency access accounts.
• Medium Over-provisioned administrator roles Identifies users with broad roles (Global Admin, Exchange Admin) who should have more limited role assignments.
• High Permanent privileged role assignments (PIM not used) The tenant has Entra ID P2 (Privileged Identity Management) but still has permanent privileged role assignments. Permanent assignments expose accounts to standing privilege and reduce audit quality.