Medium

Over-provisioned administrator roles

Identifies users with broad roles (Global Admin, Exchange Admin) who should have more limited role assignments.

Category: Roles
Default severity: Medium
Rule key: CHECK_LEAST_PRIVILEGE_ROLES
Last updated: February 20, 2026

How to fix it

Apply the principle of least privilege. Use specific roles (e.g., User Admin instead of Global Admin) when broader permissions are not needed.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All
RoleManagement.Read.Directory

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →