Global Admin synced from on-premises
Identifies Global Administrators whose accounts are synchronized from on-premises Active Directory.
How to fix it
Use cloud-only accounts for all privileged roles. On-prem compromise should not directly compromise the cloud tenant.
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Directory.Read.AllRoleManagement.Read.DirectoryUser.Read.All
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →