← All glossary terms
Microsoft Entra ID4 min read

What is Global Administrator?

Global Administrator is the highest-privilege role in Microsoft Entra ID. Learn what it can do, why standing GAs are dangerous, and how to manage them safely.

What is Global Administrator?

Definition

Global Administrator (GA) is the highest-privilege built-in role in Microsoft Entra ID. It grants full control over the tenant — every user, group, application, role assignment, Conditional Access policy, and most workload admin centers (Exchange, SharePoint, Teams, Intune).

Compromise of a single Global Administrator account typically equates to complete tenant takeover.

In simple terms:

Global Administrator is the cloud equivalent of Domain Admin — and even more impactful because the tenant boundary spans email, files, and Azure.


Why GA Matters

  • Permissions: can do almost anything, including elevating to manage Azure subscriptions if "User Access Administrator at root" is enabled.
  • Blast radius: all Microsoft 365 data, all Entra-controlled apps, all Conditional Access policies, all role assignments.
  • Recovery: GA can disable other admins, MFA, Conditional Access — making attacker lockout trivial.
  • Microsoft guidance: keep standing GAs under 5, ideally 2–4 break-glass + JIT for the rest.

What a Global Administrator Can Do

  • Manage every user (including other admins).
  • Reset any password and any MFA method.
  • Assign / remove any role.
  • Modify Conditional Access (incl. disabling MFA).
  • Manage Privileged Identity Management.
  • Register and manage applications and consent on behalf of the organization.
  • Manage federation and authentication policies.
  • Elevate to manage all Azure subscriptions (when the tenant elevation toggle is on).
  • Read every audit log; modify retention.
  • Modify directory branding, custom domains, and security defaults.

In short — anything most Entra ID admin centers can do, Global Admin can do.


Common Pitfalls

  • Too many standing GAs. Often 10–50 in mid-sized tenants.
  • Service accounts as GAs. Common for legacy automation.
  • Sync accounts as GAs. Should never be — Entra Connect uses separate accounts.
  • No break-glass plan. GAs locked behind the same MFA system that breaks.
  • GAs without phishing-resistant MFA.
  • GAs not monitored for sign-ins or activity.
  • GAs used for daily work instead of separate admin accounts.

Real-World Examples

1. MFA Fatigue → GA Compromise

A standing GA account is hit with MFA fatigue. After many push prompts, the user approves one. Attacker logs in as GA and disables CA policies before defenders react.

2. Service Account GA

A legacy script runs as a GA service account with a long-lived password. Password leaks via a config file in source control. Attacker takes over the tenant.

3. Forgotten Break-Glass

The break-glass account has weak MFA and hasn't been rotated in 4 years. An insider with old knowledge takes over.

4. Application Admin → GA

Application Administrator adds credentials to a service principal with Application.ReadWrite.All, then uses it to assign GA role to a new account.


Best Practices

Reduce Standing GAs

  1. Aim for under 5 standing GAs (Microsoft baseline).
  2. PIM-eligible the rest — JIT only.
  3. No service accounts as GAs. Use Application roles or Managed Identities with narrower scopes.
  4. No daily-use GA accounts. Separate admin and user accounts.

Strong Authentication

  1. Phishing-resistant MFA (FIDO2 / passkey) on every GA.
  2. Disable MFA fatigue paths — number matching, location context, app context required.
  3. Block legacy auth for GAs.
  4. Authentication strength policies in Conditional Access.

Break-Glass

  1. 2 break-glass GAs with hardware FIDO2 keys.
  2. Cloud-only accounts, not synced.
  3. Excluded from CA that could lock them out (carefully scoped).
  4. Stored offline; alerted on every use.

Governance

  1. PIM activation with MFA + justification + (where possible) approval.
  2. Time-limit activations to small windows.
  3. Quarterly access reviews on standing and eligible GAs.
  4. Audit log alerts on new GA assignments.

Hybrid

  1. GAs are cloud-only wherever possible.
  2. Don't sync privileged on-premises accounts to Entra ID with their privileges.

Detection

  1. Real-time alerts on GA sign-ins and activity.
  2. Monitor disablement of CA / MFA.
  3. Detect application credential additions by GAs.

Global Administrator Checklist

  • Standing GAs reduced to under 5?
  • All eligible GAs in PIM with strong activation requirements?
  • No service accounts as GAs?
  • No daily-use GA accounts?
  • Phishing-resistant MFA on every GA?
  • Legacy auth blocked for GAs?
  • 2 break-glass GAs hardened and monitored?
  • GA assignments alerted in SIEM?
  • GA activity (sign-ins, role changes) monitored?
  • Quarterly review of GA membership?

How Forestall Helps

Forestall computes effective GA reach across:

  • Standing assignments.
  • PIM-eligible assignments.
  • Role-assignable groups.
  • Service principals with role-equivalent app permissions.
  • Backdoor paths via Application Admin / Privileged Authentication Admin.

This gives you the real number of identities that can become GA — typically 5–10× the visible standing count.


Frequently Asked Questions

How many GAs should I have?

Microsoft recommends fewer than 5 standing, plus 2 break-glass. Everyone else PIM-eligible.

Should the CEO be a GA?

Almost never. GAs are technical; executives don't need this role.

Can break-glass accounts use phone-based MFA?

Hardware FIDO2 keys are strongly preferred. Phone MFA risks SIM swap and provider outages.

What replaces GA for most admin tasks?

Most tasks can be done with role-specific admins: User Admin, Application Admin, Conditional Access Admin, Authentication Policy Admin, Exchange/SharePoint/Teams Admin, etc.

Can a Managed Identity be a Global Admin?

Technically possible but strongly discouraged. Use narrower Microsoft Graph permissions instead.


Conclusion

Global Administrator is the most powerful role in Microsoft Entra ID and one of the highest-impact targets in any cloud-using enterprise. Reduce standing membership to a handful, force JIT activation for the rest via PIM, lock down break-glass with hardware FIDO2, monitor every sign-in, and audit effective reach continuously. Done well, GA becomes a deliberate, scarce, monitored privilege — not the attacker's easiest path to your entire cloud.

Global AdministratorMicrosoft Entra IDTier 0PIMBreak Glass

Find every effective Global Admin in your tenant.

Forestall surfaces standing, eligible, group-based, and app-equivalent paths to Global Admin.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Global Administrator in Microsoft Entra ID? | Forestall