Excessive Global Administrators
Checks for too many Global Administrator accounts (best practice: 2-4)
Why this matters
Why this matters
The Global Administrator role grants unrestricted access to every service and setting in your Microsoft 365 tenant. Each account with this role is a high-value target for attackers — if even one is compromised, the entire tenant is at risk.
What we found
Your tenant has more Global Administrator accounts than Microsoft recommends. The best practice is to maintain 2–4 accounts: at least two for redundancy (break-glass), but no more than four to limit the attack surface.
Why is it a security risk?
- Every additional Global Admin account is another potential entry point for attackers.
- Compromised Global Admin credentials allow full control — including creating new admins, reading all mail, and exfiltrating data.
- Too many admins makes it harder to track who made which changes and increases the likelihood of accidental misconfiguration.
Recommended next steps
- Go to Microsoft Entra admin center → Roles and administrators → Global Administrator and review all assigned members.
- For each account, determine whether Global Admin is truly required or if a less privileged role would suffice (e.g., User Administrator, Exchange Administrator).
- Keep 2 dedicated emergency access (break-glass) accounts that are cloud-only and excluded from Conditional Access.
- Enable Privileged Identity Management (PIM) to make remaining assignments time-limited and require approval.
How to fix it
Limit Global Administrator accounts to 2-4 break-glass accounts
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Directory.Read.AllRoleManagement.Read.Directory
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →