Introduction
Managing Global Administrators in Microsoft 365 is a strategic priority for IT professionals. These accounts have the highest level of privileges and are the preferred targets of cyberattacks. This article guides you on the optimal number of global admins and best practices for securing these critical accounts.
How Many Global Admins Should I Have in Microsoft 365?
Microsoft officially recommends maintaining between two and four global admins in your tenant. This principle aims to:
- Prevent a single point of failure in case of account lockout or incident.
- Reduce the attack surface targeting high-privilege accounts.
When you exceed the threshold of four global admins, risks increase significantly:
- Compromise via phishing or session hijacking: the probability of success for an attacker increases as the number of global admins grows.
- If you have only one global admin, you run the risk of critical scenarios such as complete tenant shutdown (MFA loss, abrupt departure, or security lockout).
Beware of Risks
An excess of global admins increases your vulnerability to cyberattacks. Ensure you limit privileges to the strict minimum.
Best Practices for Global Admin Accounts
The best approach is to have no permanent global admin accounts used daily. Instead, use Privileged Identity Management (PIM) to temporarily assign these privileges based on specific needs.
Why Not Maintain Constant Privileges?
The old model where admin accounts remain active 24/7 goes against modern security principles, particularly Zero Trust. With PIM (requiring Entra ID P2 license), you can:
- Require submission of justification (ServiceNow ticket, Jira, etc.) before any elevation.
- Activate privileges for a limited duration (e.g., 2 hours).
- Automatically revoke permissions after expiration.
Good to Know
Entra ID applies a "one user, one license" licensing policy. Check related articles to optimize PIM costs.
Configuring "Break-Glass" Accounts for Emergencies
"Break-Glass" accounts, essential for critical scenarios (e.g., Entra ID service outage or access policy misconfiguration), must be configured with robust security.
Recommendations for Break-Glass Accounts
- Use the integrated .onmicrosoft domain and favor cloud-only mode.
- Adopt non-obvious names and complex passwords.
- Implement phishing-resistant authentication.
- Create unique conditional access policies.
- Protect accounts with Admin Units.
- Enable continuous monitoring and alerts.
Important
Emergency accounts must be configured with strict security to prevent any abuse and prepare for critical scenarios.
Why Are So Many Global Admins Assigned?
The proliferation of global admins is often linked to poor practices or inefficient implementation of roles. Here's why:
- Administrative convenience: Granting global rights ensures technicians won't be blocked in their actions.
- Lack of awareness of the principle of least privilege and specific roles.
Alternatives to Global Rights
Microsoft 365 offers a multitude of granular roles via Role-Based Access Control (RBAC):
- Need to reset a password? Use Helpdesk Administrator.
- Managing Teams phone numbers? Use Teams Administrator.
- Analyzing sign-in logs? Use Security Reader.
By using RBAC effectively, most organizations can reduce the number of global admins to their emergency accounts and infrastructure leaders.
Conclusion
Managing global admins in Microsoft 365 is a security cornerstone. By adopting recommended practices such as PIM and RBAC, you improve security while minimizing unnecessary risks. Take control of your infrastructure and prepare your tenant against threats.
