25,150 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Not really, Global admins have "the keys to the kingdom", so if one is compromised, there's no stopping what they can do. This is why securing access is so important, and where MFA, CA policies, privileged access workstations, PIM and PAM come into play. The latter never got extended past Exchange operations though, so it will not help here.
If you have the necessary licenses, consider using PIM to "convert" GA assignments as eligible and add additional approvals for activation, as needed. There are some additional guidelines to follow here: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-planning