1.1.3 (L1) Ensure that between two and four global admins are designated

Information

Between two and four global administrators should be designated in the tenant. Ideally, these accounts will not have licenses assigned to them which supports additional controls found in this benchmark.

If there is only one global administrator, they could perform malicious activities without being detected by another admin. Designating multiple global administrators eliminates this risk and ensures redundancy if the sole remaining global administrator leaves the organization.

However, to minimize the attack surface, there should be no more than four global admins set for any tenant. A large number of global admins increases the likelihood of a successful account breach by an external attacker.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate using the UI:

- Navigate to the Microsoft 365 admin center

https://admin.microsoft.com

- Select Users > Active Users
- In the Search field enter the name of the user to be made a Global Administrator.
- To create a new Global Admin:
- Select the user's name.
- A window will appear to the right.
- Select Manage roles
- Select Admin center access
- Check Global Administrator
- Click Save changes

- To remove Global Admins:
- Select User.
- Under Roles select Manage roles
- De-Select the appropriate role.
- Click Save changes

Impact:

The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4.1

Plugin: microsoft_azure

Control ID: 1f33620356440ab30bf3740e28ab476bfa6e5a9aa1e72b17508fc83c828bb96c