iCompaas Support

Description:

Global Administrator is the highest level of administrative privilege within Microsoft Entra ID (formerly Azure Active Directory). Users with the Global Administrator role have full control over all aspects of Azure AD, including the ability to manage users, configure settings, and access sensitive data. To reduce security risks, it is crucial to limit the number of Global Administrators in your organization.

The best practice is to ensure that fewer than five users are assigned the Global Administrator role to minimize the risk of unauthorized access or misuse of these elevated privileges.

Rationale:

By restricting the number of Global Administrators, you can:

            Reduce security risks: Limiting the number of high-privilege accounts minimizes the risk of them being compromised                 or misused.

• Improve compliance: Many security frameworks and compliance standards recommend restricting high-level access to only a few trusted individuals.
  

• Enable better access control: Fewer Global Administrators means more control over administrative actions and better auditing of changes.
  

• Prevent accidental misconfigurations: Fewer users with this role reduces the chances of accidental security misconfigurations or changes.
  

Impact:

This approach ensures that only the essential personnel have access to Global Administrator privileges, thereby enhancing security. However, the impact is minimal, as restricting the number of Global Administrators does not affect the day-to-day operations but strengthens the overall security posture.

Default Value:

By default, organizations may have a larger number of Global Administrators (e.g., IT administrators or initial setup accounts). You need to manually audit and limit this role assignment to fewer than five users.

Pre-requisites:

• Microsoft Entra ID (Azure Active Directory) configured and operational.
  

• Global Administrator role permissions to review and manage role assignments.
  

• Azure AD or Entra ID users with Global Administrator privileges who need to be reviewed.
  

Audit:

1. Sign in to Microsoft Entra ID (Azure AD) as a Global Administrator.
   

2. Navigate to the Roles and Administrators section.
   

3. Review the Global Administrator role assignments to ensure fewer than five users have this assignment.
   

Implementation Steps (Manual):

1. Sign in to Microsoft Entra ID (Azure AD):
   

   • Use an account with the Global Administrator role to perform this task.
     

2. Navigate to Roles and Administrators:
   

   • In the Azure portal, go to Azure Active Directory.
     

   • Under Manage, select Roles and administrators.
     

3. Review the Global Administrator Role:
   

   • In the Roles and administrators pane, select Global Administrator.
     

   • Review the list of users assigned the Global Administrator role.
     

4. Ensure Fewer Than Five Global Administrators:
   

   • If more than five users are assigned the Global Administrator role, identify the users who can be assigned a lower-level administrative role (e.g., User Administrator, Security Administrator, etc.) or remove them from the Global Administrator role entirely.
     

5. Modify the Global Administrator Assignments:
   

   • Select a user who should no longer have the Global Administrator role.
     

   • Click Remove to remove the Global Administrator assignment.
     

   • Alternatively, assign them a less privileged role by selecting Assigned roles and choosing a more appropriate role.
     

6. To remove a Global Administrator:
   

   • Click on the user you want to remove.
     

   • Under Assigned roles, click Remove next to Global Administrator.
     

7. Review and Confirm:
   

   • After making changes, confirm that fewer than five users remain in the Global Administrator role.
     

   • Ensure that all necessary administrative privileges are delegated to other roles, such as User Administrator, Security Administrator, or custom roles.
     

8. Verify Role Assignment Changes:
   

   • Revisit the Global Administrator role in Roles and Administrators to ensure the updated list reflects fewer than five users.
     

9. Regularly Review Global Administrator Assignments:
   

   • Set a process to periodically review Global Administrator assignments to maintain the principle of least privilege.
     

   • You may want to set reminders to review role assignments quarterly.
     

Backout Plan (Manual):

1. Sign in to Microsoft Entra ID (Azure AD):
   

   • Use an account with the Global Administrator role.
     

2. Navigate to Roles and Administrators:
   

   • In Azure Active Directory, go to Roles and administrators.
     

3. Reassign Global Administrator Role if Needed:
   

   • If a user needs to be re-added as a Global Administrator, find the user in Roles and administrators.
     

   • Select the user and click Add assignments.
     

   • Choose Global Administrator and click Assign.
     

4. Verify Role Assignments:
   

   • Ensure that the Global Administrator role is properly assigned to the required users.
     

   • Confirm the number of Global Administrators is as expected (more than five, if required).
     

References:

• Azure Active Directory - Assign Roles
  

• Microsoft Entra ID - Role-Based Access Control (RBAC)
  Azure AD Global Administrator Role