CIS.M365.1.1.3 - (L1) Ensure that between two and four global admins are designated
Overview
1.1.3 (L1) Ensure that between two and four global admins are designated
Between two and four global administrators should be designated in the tenant. Ideally, these accounts will not have licenses assigned to them which supports additional controls found in this benchmark.
Rationale
If there is only one global administrator, they could perform malicious activities without being detected by another admin. Designating multiple global administrators eliminates this risk and ensures redundancy if the sole remaining global administrator leaves the organization. However, to minimize the attack surface, there should be no more than four global admins set for any tenant. A large number of global admins increases the likelihood of a successful account breach by an external attacker.
Impact
The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.
Remediation action:
To correct the number of global tenant administrators:
- Navigate to Microsoft 365 admin center https://admin.microsoft.com.
- Select Users > Active Users.
- In the Search field enter the name of the user to be made a Global Administrator.
- To create a new Global Admin:
- Select the user's name.
- A window will appear to the right.
- Select Manage roles.
- Select Admin center access.
- Check Global Administrator.
- Click Save changes.
To remove Global Admins:
- Select User.
- Under Roles select Manage roles.
- De-Select the appropriate role.
- Click Save changes.
Related links
- Microsoft 365 Admin Center
- Get-MgDirectoryRole
- All roles
- 5. Limit the number of Global Administrators to less than 5
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 27
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.1.1.3 |
| Severity | High |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisGlobalAdminCount |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.1.1.3, L1 |
Source
- Pester test:
tests/cis/Test-MtCisGlobalAdminCount.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisGlobalAdminCount.ps1