Query on Access

Glenn Maxwell 10,551 Reputation points
2024-06-07T22:38:53.47+00:00

Hi All

This might be a stupid question, but I would still like to ask: Is there any recommendation from Microsoft to restrict the number of Global Admins and Domain Admins? Specifically, in an organization, how many Domain Admins or Global Admins should we have? We currently have 11 Global Admins and 14 Domain Admins and want to reduce this number. Are there any recommended best practices from Microsoft, and if so, do we have any documentation on this?

Microsoft Exchange Online
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,541 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,416 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,316 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,146 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Jayce Yang-MSFT 1,251 Reputation points Microsoft Vendor
    2024-06-10T03:12:09.0966667+00:00

    Sorry, there is no official document that sets a limit on the number of global administrators and domain administrators, it all depends on your requirements. But you could assigning the least permissive role means giving admins only the access they need to get the job done, to reduce the number of Global Admins. We could refer to the following document:

    About admin roles in the Microsoft 365 admin center - Microsoft 365 admin | Microsoft Learn

     

    Please note:

    Security guidelines for assigning roles

    1

    0 comments No comments

  2. Givary-MSFT 29,591 Reputation points Microsoft Employee
    2024-06-10T03:24:13.61+00:00

    @Glenn Maxwell Thank you for reaching out to us, As I understand you are looking for best practices in managing the Global Admin & Domain Admin accounts within your environment.

    Refer to these docs which explains abt the best practices in managing privilege accounts

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#:~:text=5.%20Limit%20the%20number%20of%20Global%20Administrators%20to%20less%20than%205

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory

    For on-premise environment, consider implementing Tier model - https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendices

    For more details engaging our consulting team would be the best way to go about this issue.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments