Forum Discussion

CRIB111's avatar
CRIB111
Brass Contributor
Dec 12, 2023

no full time global admin priveleges

Is it commonplace, or even a formal Microsoft recommendation ,to not have any of your IT support admin accounts as permanent members of the global admins role in AAD? And rather to delegate them more fine-grained access permissions based on their requirements?

Or practically speaking is there a need for global admin permissions in resolving issues etc in AAD/365 on say a daily basis? I was just analysing the role assignments report in AAD and the only accounts permanently in global admins were break glass accounts, and other admins are given different privileges roles but do not permanently reside in global admins which I hadn’t seen before – so I wondered if this is official guidance? I know Microsoft had similar advice about trying to avoid giving people permanent domain admin rights if at all possible so I presume this is similar thinking. I just wanted to see how practical it is to follow. 

Resources