Share via

Solution For removing Global admin Account by another Global admin

Aginash Mannarath 111 Reputation points
2023-09-10T06:53:24.9266667+00:00

Hello Dear Fellow Humans,

i have a worry if one of my global admin account (we have multiple tenant admins) is compromised it have availability to delete other global admin account, also it can remove the role assignment from other team members,

which will prevent us from get backing the tenant. and can coast huge impact since it will delay the responds.

is there any solution that can address this issue ?

thanks is advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,121 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 98,201 Reputation points MVP
    2023-09-10T15:32:26.13+00:00

    Not really, Global admins have "the keys to the kingdom", so if one is compromised, there's no stopping what they can do. This is why securing access is so important, and where MFA, CA policies, privileged access workstations, PIM and PAM come into play. The latter never got extended past Exchange operations though, so it will not help here.

    If you have the necessary licenses, consider using PIM to "convert" GA assignments as eligible and add additional approvals for activation, as needed. There are some additional guidelines to follow here: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-planning

    0 comments