Control: 1.1.3 Ensure that between two and four global admins are designated
Description
More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them.
If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.
Remediation
To correct the number of global tenant administrators, use the Microsoft 365 Admin Center:
- Log in to
https://admin.microsoft.com
as aGlobal Administrator
. - Select
Users
>Active Users
. - In the
Search
field enter the name of the user to be made a Global Administrator. - To create a new Global Admin:
- Select the user's name.
- A window will appear to the right.
- Select
Manage roles
. - Select
Admin center access
. - Check
Global Administrator
. - Click
Save changes
.
- To remove Global Admins:
- Select User.
- Under
Roles
selectManage roles
. - De-Select the appropriate role.
- Click
Save changes
.
To correct the number of global tenant administrators, you can also use the Office 365 PowerShell MSOL:
- Connect to Microsoft 365 using
Connect-MSOLService
. - Run the following PowerShell command to create a new Global Admin:
Add-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10 -RoleMemberEmailAddress "AdeleV@contoso.com"
- Run the following PowerShell command to remove Global Admins:
Remove-MsolRoleMember -RoleObjectId 62e90394-69f5-4237-9190-012177145e10 -RoleMemberEmailAddress "AdeleV@contoso.com"
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v150_1_1_3 --share
SQL
This control uses a named query:
azuread_global_admin_range_restricted