Detections
Analytics

5.26 Ensure fewer than 5 users have global administrator assignment

Information

This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access.

The Global Administrator role has extensive privileges across all services in Microsoft Entra ID. The Global Administrator role should never be used in regular daily activities; administrators should have a regular user account for daily activities, and a separate account for administrative responsibilities. Limiting the number of Global Administrators helps mitigate the risk of unauthorized access, reduces the potential impact of human error, and aligns with the principle of least privilege to reduce the attack surface of an Azure tenant. Conversely, having at least two Global Administrators ensures that administrative functions can be performed without interruption in case of unavailability of a single admin.

For any accounts assigned the Global Administrator role, at least one strong authentication method such as a FIDO2 key or certificate is strongly advised. Additional detail on strong passwordless authentication methods is provided in the recommendation titled "Ensure passwordless authentication methods are considered" and a link can be found in references for more detail about emergency access accounts.

Solution

Remediate from Azure Portal

 - From Azure Home select the Portal Menu
 - Select Microsoft Entra ID
 - Under Manage, select Roles and administrators
 - Under Administrative Roles, select Global Administrator

If more than 4 users are assigned:

 - Remove Global Administrator role for users which do not or no longer require the role.
 - Assign Global Administrator role via PIM which can be activated when required.
 - Assign more granular roles to users to conduct their duties.

If only one user is assigned:

 - Provide the Global Administrator role to a trusted user or create a break glass admin account.

Impact:

Implementing this recommendation may require changes in administrative workflows or the redistribution of roles and responsibilities. Adequate training and awareness should be provided to all Global Administrators.

NOTE: If an organization's tenant is using a third-party identity provider, the audit and remediation procedures presented here may not be relevant. The principle of the recommendation is still relevant, and compensating controls that are relevant to the third-party identity provider should be implemented.

See Also

https://workbench.cisecurity.org/benchmarks/21611

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4.1

Plugin: microsoft_azure

Control ID: add43d7702c2fc07012409de09115d5be88a638034d080f46b157536fd5ace80