More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them. Rationale: If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker. Impact: The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.
To correct the number of global tenant administrators, use the Microsoft 365 Admin Center: Log in to https://admin.microsoft.com as a Global Administrator. Select Users > Active Users. In the Searchfield enter the name of the user to be made a Global Administrator. To create a new Global Admin: Select the user's name. A window will appear to the right. Select Manage roles. Select Admin center access. Check Global Administrator. Click Save changes. To remove Global Admins: Select User. Under Roles select Manage roles De-Select the appropriate role. Click Save changes. To correct the number of global tenant administrators, you can also use the Office 365 PowerShell MSOL: Connect to Microsoft 365 using Connect-MSOLService Store the variables with the following Powershell $dispName='' $roleName='Company Administrator' Run the following PowerShell command to create a new Global Admin: Add-MsolRoleMember -RoleMemberEmailAddress (Get-MsolUser -All | Where DisplayName -eq $dispName).UserPrincipalName -RoleName $roleName Run the following PowerShell command to remove Global Admins: Remove-MsolRoleMember -RoleMemberEmailAddress (Get-MsolUser -All | Where DisplayName -eq $dispName).UserPrincipalName -RoleName $roleName