High

Global Admin with productivity license

Identifies Global Administrators that also hold productivity licenses (mailbox, Teams, SharePoint).

Category: Roles
Default severity: High
Rule key: CHECK_ADMIN_ACCOUNTS_WITH_LICENSE
Last updated: April 17, 2026

How to fix it

Use dedicated, license-free admin accounts. Regular work should happen from a separate, non-privileged account.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All
RoleManagement.Read.Directory
User.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →