# AZ\_GLOBAL\_ADMIN ## Summary | | | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_GLOBAL\_ADMIN | | **Entra ID (Azure AD) Alias** | Global Administrator | | **Affected Object Types** | Microsoft Entra tenant (all directory objects and tenant-wide configuration) | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Membership in the built-in **Global Administrator** directory role (direct assignment or via a role-assignable group). If Microsoft Entra PIM is used, eligibility and activations also apply | ## Description `AZ_GLOBAL_ADMIN` represents the ability for a principal to operate as a **Global Administrator** in Microsoft Entra ID. A Global Administrator has the highest level of administrative access in the tenant. A Global Administrator can: * Assign and remove directory roles. * Manage users, groups, devices, and tenant settings. * Manage enterprise applications and app registrations, including credentials. * Approve permissions and perform tenant-wide application management operations. * Change security settings and access control configuration. Therefore, any identity that holds the Global Administrator role can immediately perform tenant-wide privileged actions and can grant itself or others persistent administrative access. ## Identification ### PowerShell (Microsoft Graph) List all members of the **Global Administrator** role. This includes users, service principals, and groups. If a group is assigned, expand it to identify effective users. ```powershell Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All" $globalAdminRoleDefinitionId = "62e90394-69f5-4237-9190-012177145e10" $uri = "/v1.0/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$globalAdminRoleDefinitionId'&`$expand=principal" $r = Invoke-MgGraphRequest -Method GET -Uri $uri $r.value | ForEach-Object { $p = $_.principal [PSCustomObject]@{ PrincipalType = $p.'@odata.type' DisplayName = $p.displayName UserPrincipalName = $p.userPrincipalName AppId = $p.appId ObjectId = $_.principalId DirectoryScopeId = $_.directoryScopeId } } | Format-Table -AutoSize ``` ### Azure GUI * Go to **Microsoft Entra admin center** -> **Roles & administrators**. * Open **Global Administrator**. * Open **Assignments** and record: * **Active assignments** * **Eligible assignments** (if PIM is enabled) * If a **group** is assigned: * Enumerate its **transitive members** (nested included). * Identify break-glass accounts and confirm they are protected and monitored. ![Roles UI](/files/XGdjrzi2YE95qsnYiX46) ## Exploitation A principal that holds the **Global Administrator** role can perform tenant-wide privileged actions immediately. This includes granting roles to other identities, changing authentication and access policy, and modifying application permissions and credentials. Do not treat Global Administrator as an operational role for daily work. Treat it as emergency-only and tightly controlled administrative capability. ### Grant Directory Roles A Global Administrator can assign any directory role to any principal, including granting Global Administrator to a controlled identity for persistence. For detailed exploitation techniques, see [AZ\_MG\_GRANT\_ROLE](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_GRANT_ROLE/README.md). ### Add Credentials to Applications A Global Administrator can add client secrets or certificates to any application or service principal, then authenticate as that identity to abuse its permissions. For detailed exploitation techniques, see [AZ\_ADD\_SECRET](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_SECRET/README.md). ### Add Owners to Applications A Global Administrator can add owners to applications and service principals, granting persistent control even if the role assignment is later removed. For detailed exploitation techniques, see [AZ\_ADD\_OWNER](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_OWNER/README.md). ### Modify Group Memberships A Global Administrator can add principals to any group, including role-assignable groups that grant privileged directory roles. For detailed exploitation techniques, see [AZ\_MG\_ADD\_MEMBER](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_ADD_MEMBER/README.md). ### Reset User Passwords A Global Administrator can reset the password of any user in the tenant, including other administrators. For detailed exploitation techniques, see [AZ\_RESET\_PASSWORD](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_RESET_PASSWORD/README.md). ### Grant Microsoft Graph Permissions A Global Administrator can grant dangerous Microsoft Graph API permissions to applications, enabling programmatic tenant takeover. For detailed exploitation techniques, see [AZ\_MG\_GRANT\_APP\_ROLES](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_MG_GRANT_APP_ROLES/README.md). ## Mitigation * Keep the number of **Global Administrators** as low as possible. * Use **Microsoft Entra PIM**: * Prefer **eligible** assignments instead of permanent active assignments. * Require MFA and approvals for activation where appropriate. * Use dedicated admin accounts and enforce strong authentication: * Phishing-resistant MFA where possible. * Conditional Access policies for privileged roles. * Maintain controlled **break-glass** accounts: * Exclude only where necessary, and monitor continuously. * Store credentials securely and test access periodically. * Review Global Administrator membership regularly and remove stale assignments. ## Detection Monitor Entra **Audit logs** for role changes and privileged activity. * Alert on any changes that add or activate Global Administrator: * Role assignments created. * PIM activations for Global Administrator. * Investigate: * **Initiated by (actor)** * **Target resources** * Source IP / device context if available * Alert on abnormal privileged actions performed by Global Administrators: * New credentials added to applications. * New app role assignments to Microsoft Graph. * Changes to Conditional Access or authentication policies. ## References * * * * * * [https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs?utm_source=chatgpt.com) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_global_admin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.