High Number of Administrators

HIGH

Language:

Description

Administrators have elevated privileges by definition. They can pose security risks when there is a high number of them since it increases the attack surface because there is a higher chance that one of them gets compromised. This is also the sign that the least-privileged principle is not respected.

These role assignees should be scrutinized, trained and carefully justified.

Disabled accounts and service principals are ignored (i.e. not counted) by default (parameter can be changed) because they cannot be used by attackers.

Solution

To limit risks, use the least-privilege principle when assigning administrator roles:

  • Reduce the number of accounts assigned to the reported role.
  • If these accounts require privileges, consider restricting them to a more specific role with only the necessary permissions. Microsoft Entra ID offers several administrative roles beyond "Global Administrator", allowing to grant just the necessary permissions. For example, a support technician account only requires the "Helpdesk Administrator" role to reset user passwords, instead of "Global Administrator".
  • Reduce the scope of assignment. Microsoft Entra ID allows you to assign a role on a specific scope, and you should aim for the smallest scope. For example, if the same support technician is in charge of the EMEA region only, you should assign them their role only on the "EMEA" administrative unit.

If this is not applicable due to the large size of your IT organization, consider increasing the maximum number of allowed accounts in the parameters.

In particular, Microsoft recommends to limit the number of Global Administrators to less than 5.

Indicator Details

Name: High Number of Administrators

Codename: HIGH-NUMBER-OF-ADMINISTRATORS

Severity: High

MITRE ATT&CK Information: