CISA.MS.AAD.7.2 - Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.
Overviewβ
Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.
Rationale: Many privileged administrative users do not need unfettered access to the tenant to perform their duties. By assigning them to roles based on least privilege, the risks associated with having their accounts compromised are reduced.
Remediation action:β
This policy is based on the ratio below:
X = (Number of users assigned to the Global Administrator role) / (Number of users assigned to other highly privileged roles)
- Follow the instructions for policy MS.AAD.7.1v1 above to get a count of users assigned to the Global Administrator role.
- Follow the instructions for policy MS.AAD.7.1v1 above but get a count of users assigned to the other highly privileged roles (not Global Administrator). If a user is assigned to both Global Administrator and other roles, only count that user for the Global Administrator assignment.
- Divide the value from step 2 from the value from step 1 to calculate X. If X is less than or equal to 1 then the tenant is compliant with the policy.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.7.2 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaGlobalAdminRatio |
| Tags | CISA, CISA.MS.AAD.7.2, Entra ID Free, MS.AAD, MS.AAD.7.2 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaGlobalAdminRatio.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaGlobalAdminRatio.ps1