search

AZ_GLOBAL_ADMIN

hashtag
Summary

FSProtect ACL Alias

AZ_GLOBAL_ADMIN

Entra ID (Azure AD) Alias

Global Administrator

Affected Object Types

Microsoft Entra tenant (all directory objects and tenant-wide configuration)

Exploitation Certainty

Certain

Graph Permission / Role

Membership in the built-in Global Administrator directory role (direct assignment or via a role-assignable group). If Microsoft Entra PIM is used, eligibility and activations also apply

hashtag
Description

AZ_GLOBAL_ADMIN represents the ability for a principal to operate as a Global Administrator in Microsoft Entra ID.

A Global Administrator has the highest level of administrative access in the tenant. A Global Administrator can:

  • Assign and remove directory roles.

  • Manage users, groups, devices, and tenant settings.

  • Manage enterprise applications and app registrations, including credentials.

  • Approve permissions and perform tenant-wide application management operations.

  • Change security settings and access control configuration.

Therefore, any identity that holds the Global Administrator role can immediately perform tenant-wide privileged actions and can grant itself or others persistent administrative access.

hashtag
Identification

hashtag
PowerShell (Microsoft Graph)

hashtag
Azure GUI

1

hashtag
Open Roles & administrators

  • Go to Microsoft Entra admin centerRoles & administrators.

2

hashtag
Open Global Administrator

  • Open Global Administrator.

3

hashtag
Review Assignments

  • Open Assignments and record:

    • Active assignments

    • Eligible assignments (if PIM is enabled)

4

hashtag
Handle group assignments

  • If a group is assigned:

    • Enumerate its transitive members (nested included).

5

hashtag
Break-glass accounts

  • Identify break-glass accounts and confirm they are protected and monitored.

hashtag
Exploitation

triangle-exclamation

A principal that holds the Global Administrator role can perform tenant-wide privileged actions immediately. This includes granting roles to other identities, changing authentication and access policy, and modifying application permissions and credentials.

Do not treat Global Administrator as an operational role for daily work. Treat it as emergency-only and tightly controlled administrative capability.

hashtag
Mitigation

circle-exclamation

  • Keep the number of Global Administrators as low as possible.

  • Use Microsoft Entra PIM:

    • Prefer eligible assignments instead of permanent active assignments.

    • Require MFA and approvals for activation where appropriate.

  • Use dedicated admin accounts and enforce strong authentication:

    • Phishing-resistant MFA where possible.

    • Conditional Access policies for privileged roles.

  • Maintain controlled break-glass accounts:

    • Exclude only where necessary, and monitor continuously.

    • Store credentials securely and test access periodically.

  • Review Global Administrator membership regularly and remove stale assignments.

hashtag
Detection

circle-info

Monitor Entra Audit logs for role changes and privileged activity.

  • Alert on any changes that add or activate Global Administrator:

    • Role assignments created.

    • PIM activations for Global Administrator.

  • Investigate:

    • Initiated by (actor)

    • Target resources

    • Source IP / device context if available

  • Alert on abnormal privileged actions performed by Global Administrators:

    • New credentials added to applications.

    • New app role assignments to Microsoft Graph.

    • Changes to Conditional Access or authentication policies.

hashtag
References

PreviousAZ_CUSTOM_PRIVILEGED_ROLENextAZ_IN_GROUP

Last updated

Was this helpful?