AZ_GLOBAL_ADMIN

Summary

FSProtect ACL Alias

AZ_GLOBAL_ADMIN

Entra ID (Azure AD) Alias

Global Administrator

Affected Object Types

Microsoft Entra tenant (all directory objects and tenant-wide configuration)

Exploitation Certainty

Certain

Graph Permission / Role

Membership in the built-in Global Administrator directory role (direct assignment or via a role-assignable group). If Microsoft Entra PIM is used, eligibility and activations also apply

Description

AZ_GLOBAL_ADMIN represents the ability for a principal to operate as a Global Administrator in Microsoft Entra ID.

A Global Administrator has the highest level of administrative access in the tenant. A Global Administrator can:

Assign and remove directory roles.
Manage users, groups, devices, and tenant settings.
Manage enterprise applications and app registrations, including credentials.
Approve permissions and perform tenant-wide application management operations.
Change security settings and access control configuration.

Therefore, any identity that holds the Global Administrator role can immediately perform tenant-wide privileged actions and can grant itself or others persistent administrative access.

Identification

PowerShell (Microsoft Graph)

List all members of the Global Administrator role. This includes users, service principals, and groups. If a group is assigned, expand it to identify effective users.

Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Directory.Read.All"

$globalAdminRoleDefinitionId = "62e90394-69f5-4237-9190-012177145e10"

$uri = "/v1.0/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$globalAdminRoleDefinitionId'&`$expand=principal"
$r = Invoke-MgGraphRequest -Method GET -Uri $uri

$r.value | ForEach-Object {
  $p = $_.principal
  [PSCustomObject]@{
    PrincipalType      = $p.'@odata.type'
    DisplayName        = $p.displayName
    UserPrincipalName  = $p.userPrincipalName
    AppId              = $p.appId
    ObjectId           = $_.principalId
    DirectoryScopeId   = $_.directoryScopeId
  }
} | Format-Table -AutoSize

Azure GUI

Go to Microsoft Entra admin center -> Roles & administrators.
Open Global Administrator.
Open Assignments and record:
- Active assignments
- Eligible assignments (if PIM is enabled)
If a group is assigned:
- Enumerate its transitive members (nested included).
Identify break-glass accounts and confirm they are protected and monitored.

Exploitation

A principal that holds the Global Administrator role can perform tenant-wide privileged actions immediately. This includes granting roles to other identities, changing authentication and access policy, and modifying application permissions and credentials.

Do not treat Global Administrator as an operational role for daily work. Treat it as emergency-only and tightly controlled administrative capability.

Grant Directory Roles

A Global Administrator can assign any directory role to any principal, including granting Global Administrator to a controlled identity for persistence.

For detailed exploitation techniques, see AZ_MG_GRANT_ROLE.

Add Credentials to Applications

A Global Administrator can add client secrets or certificates to any application or service principal, then authenticate as that identity to abuse its permissions.

For detailed exploitation techniques, see AZ_ADD_SECRET.

Add Owners to Applications

A Global Administrator can add owners to applications and service principals, granting persistent control even if the role assignment is later removed.

For detailed exploitation techniques, see AZ_ADD_OWNER.

Modify Group Memberships

A Global Administrator can add principals to any group, including role-assignable groups that grant privileged directory roles.

For detailed exploitation techniques, see AZ_MG_ADD_MEMBER.

Reset User Passwords

A Global Administrator can reset the password of any user in the tenant, including other administrators.

For detailed exploitation techniques, see AZ_RESET_PASSWORD.

Grant Microsoft Graph Permissions

A Global Administrator can grant dangerous Microsoft Graph API permissions to applications, enabling programmatic tenant takeover.

For detailed exploitation techniques, see AZ_MG_GRANT_APP_ROLES.

Mitigation

Keep the number of Global Administrators as low as possible.
Use Microsoft Entra PIM:
- Prefer eligible assignments instead of permanent active assignments.
- Require MFA and approvals for activation where appropriate.
Use dedicated admin accounts and enforce strong authentication:
- Phishing-resistant MFA where possible.
- Conditional Access policies for privileged roles.
Maintain controlled break-glass accounts:
- Exclude only where necessary, and monitor continuously.
- Store credentials securely and test access periodically.
Review Global Administrator membership regularly and remove stale assignments.

Detection

Monitor Entra Audit logs for role changes and privileged activity.

Alert on any changes that add or activate Global Administrator:
- Role assignments created.
- PIM activations for Global Administrator.
Investigate:
- Initiated by (actor)
- Target resources
- Source IP / device context if available
Alert on abnormal privileged actions performed by Global Administrators:
- New credentials added to applications.
- New app role assignments to Microsoft Graph.
- Changes to Conditional Access or authentication policies.

References

PreviousAZ_CUSTOM_PRIVILEGED_ROLE NextAZ_IN_GROUP

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagGrant Directory Roles

hashtagAdd Credentials to Applications

hashtagAdd Owners to Applications

hashtagModify Group Memberships

hashtagReset User Passwords

hashtagGrant Microsoft Graph Permissions

hashtagMitigation

hashtagDetection

hashtagReferences