This chapter covers Global Administrator best practices for the Microsoft 365 tenant, a critical topic for the MS-102 exam. Properly managing Global Administrator accounts is essential for tenant security and compliance, and exam questions on this topic appear frequently — approximately 10-15% of the exam focuses on identity and access management, with a significant portion dedicated to privileged role management. You will learn the specific risks, Microsoft's recommended controls, and how to configure and verify these settings. Mastering this chapter will help you answer scenario-based questions about role assignment, emergency access, and privileged identity management.
Jump to a section
Imagine a high-security office building with many rooms: HR, Finance, IT, each with its own lock. Most employees have keys only to their specific rooms. However, a few senior executives hold a 'master key' that opens every single door. This master key is powerful — it can also change the locks, create new keys, and even revoke access from other employees. Now, consider that the building has a special 'vault room' that contains the master key itself, along with backup keys for all rooms. Only one person — the 'Global Admin' — is allowed to enter the vault room. If that person misplaces the master key, the entire building's security is compromised. To mitigate this, the company implements strict policies: the master key is never carried outside the building, its usage is logged every time it touches a lock, and a second executive must be present when the vault room is accessed. Additionally, the company creates a few 'emergency master keys' that are stored in a separate, equally secure vault, and those keys are only used if the primary master key is lost. This analogy directly mirrors the Global Administrator role in Microsoft 365: the Global Admin has the highest level of access (the master key), can perform any operation, and must be protected with privileged access management, break-glass accounts, and strict monitoring to prevent abuse or compromise.
What is a Global Administrator and Why Does It Exist?
A Global Administrator (formerly Company Administrator) is the most powerful role in Microsoft 365. It has unrestricted access to all administrative features in the Microsoft 365 admin center, Azure AD, Exchange Online, SharePoint Online, Teams, Security & Compliance Center, and more. This role exists because every tenant needs at least one user who can perform tenant-wide configuration, manage billing, create and delete other administrators, and respond to emergencies. However, its power also makes it a prime target for attackers. Microsoft recommends having no more than 2-4 permanent Global Administrators in a tenant, and using Privileged Identity Management (PIM) to activate the role only when needed.
How Global Administrator Works Internally
When a user is assigned the Global Administrator role, Azure AD adds a role assignment entry in the directory. This assignment is stored in the Azure AD directory service, replicated across all global data centers. When the user authenticates and attempts an administrative action, Azure AD checks the role assignment via the Azure AD Graph API or Microsoft Graph. If the user has the Global Administrator role, the authorization check passes for any administrative endpoint. The role assignment can be permanent (always active) or eligible (requires activation via PIM). For eligible assignments, the user must activate the role through the Azure AD PIM portal, which triggers a temporary elevation that lasts a configurable duration (default 1 hour, max 8 hours). During activation, the user can optionally require Azure MFA and/or approval from another administrator. Once activated, the user's token includes a claim indicating the Global Administrator role. The token lifetime is determined by the activation duration, and the user remains elevated until the token expires or they deactivate the role.
Key Components, Values, Defaults, and Timers
Number of Global Admins: Microsoft recommends 2-4 permanent (or eligible) Global Administrators. More than 4 increases risk; fewer than 2 risks lockout.
PIM Activation Duration: Default 1 hour, configurable from 1 to 8 hours. For break-glass accounts, set to 4-8 hours to allow time for response.
MFA on Activation: Required by default in PIM, but can be disabled (not recommended).
Approval Required: Optional. If enabled, a separate administrator must approve the activation request.
Justification: Users must provide a reason for activation, which is logged.
Break-Glass Accounts: Two separate cloud-only accounts with permanent Global Admin role, excluded from PIM and MFA, with long complex passwords stored in a secure location. These are for emergency use only.
Audit Logging: All role activations and assignments are logged in the Azure AD audit log and the Unified Audit Log. Retention: 30 days by default, extendable to 90 days with appropriate licensing.
Privileged Access Groups: You can create groups that grant Global Admin access to members via PIM, reducing the number of individual role assignments.
Configuration and Verification Commands
To add a user as Global Admin via PowerShell:
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "user@domain.com"To view all Global Admins:
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectIdUsing Microsoft Graph PowerShell:
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"}).IdTo configure PIM settings for Global Administrator:
# Requires Azure AD Premium P2
Set-AzureADMSPrivilegedRoleSetting -ProviderId "AzureResources" -ResourceId "<tenant-id>" -RoleDefinitionId "<role-id>" -AdminMemberSettings @{AllowedActivationMaxDurationHours=4; RequireMFAOnActivation=$true; RequireApproval=$false; RequireJustification=$true}Verification: Check PIM activation reports in Azure AD > Privileged Identity Management > Audit history.
Interactions with Related Technologies
Azure AD Identity Protection: Can automatically revoke Global Admin sessions if risky behavior is detected.
Conditional Access: Can require MFA, compliant device, or trusted location for Global Admin sign-ins.
Privileged Access Management (PAM): For on-premises AD, but integrates with Azure AD PIM via Microsoft Identity Manager.
Microsoft 365 Defender: Monitors for anomalous Global Admin activity.
Entra Permissions Management (CIEM): Provides granular visibility into permissions and unused roles.
Best Practices Summary
Use PIM for all Global Admin assignments except break-glass accounts.
Require MFA and justification for activation.
Set activation duration to the minimum necessary (1-2 hours).
Regularly review and remove unused Global Admin assignments.
Monitor audit logs for unusual activation patterns.
Use break-glass accounts for emergencies only, and test them periodically.
Consider using Azure AD administrative units to delegate limited admin roles instead of granting Global Admin.
Assess current Global Admin assignments
Begin by identifying all users with the Global Administrator role. Use the Microsoft 365 admin center (Roles > Role assignments > Global Administrator) or PowerShell (Get-MsolRoleMember or Get-MgDirectoryRoleMember). Document each user, their department, and the business justification for having the role. This step is crucial because many tenants have accumulated excessive Global Admins over time, often from legacy migrations or temporary assignments that were never revoked. The goal is to reduce the list to a maximum of 4 permanent or eligible users. Also identify any service accounts with Global Admin — these should be replaced with application permissions or managed identities.
Create break-glass emergency accounts
Create two separate cloud-only user accounts (not synchronized from on-premises) with permanent Global Administrator role. Use a naming convention like 'admin-breakglass-1@domain.com'. Generate a long, complex password (at least 20 characters) and store it in a secure physical or digital vault (e.g., a safe, Azure Key Vault). Do not assign any licenses to these accounts (they can still sign in). Exclude these accounts from conditional access policies and PIM. They are intended for use only when normal admin access is unavailable (e.g., Azure AD outage, PIM failure). Test these accounts periodically by signing in and performing a simple action to ensure they work.
Enable Privileged Identity Management
If not already enabled, activate Azure AD Premium P2 licensing (requires at least one license for the tenant). Navigate to Azure AD > Privileged Identity Management > Quick start and click 'Activate PIM'. Then configure the Global Administrator role: set the default activation duration to 1 hour (or 2 hours max), require Azure MFA on activation, require justification, and optionally require approval from a specific approver. Convert all existing permanent Global Admin assignments to eligible (requiring activation). This ensures that no one has standing Global Admin access. The activation process logs the user, time, justification, and MFA status.
Implement Conditional Access for admins
Create a Conditional Access policy targeting all users with Global Administrator role (or any privileged role). Configure grant controls: require MFA, require a compliant device (e.g., Intune managed), and require a trusted location (e.g., corporate IP range). Set session controls: use app enforced restrictions and sign-in frequency (e.g., every 1 hour). This policy ensures that even when a user activates Global Admin via PIM, they must meet strict security requirements. For break-glass accounts, exclude them from this policy. Test the policy using the 'What If' tool before enabling.
Monitor and audit Global Admin activity
Use the Azure AD audit log and the Unified Audit Log to monitor Global Admin activations and actions. Set up alerts for anomalous activations (e.g., activation outside business hours, from an unfamiliar IP). Use Microsoft 365 Defender to investigate incidents involving Global Admin accounts. Export logs to a SIEM for long-term retention. Regularly review PIM activation reports and remove any stale eligible assignments. Implement a quarterly review process where admins must justify continued need for Global Admin eligibility.
In a typical enterprise deployment, I've seen tenants with 20+ Global Administrators due to organic growth and lack of governance. The first step is always a cleanup. For example, a multinational company with 50,000 users had 15 Global Admins. After assessment, we reduced it to 3: one for daily operations, one as backup, and two break-glass accounts (total 5). We implemented PIM with 2-hour activation, MFA, and approval from the IT director. This reduced the attack surface significantly.
Another scenario: a healthcare organization needed to comply with HIPAA. They required that all Global Admin activations be approved by a compliance officer. We configured PIM with approval workflow and set the activation duration to 1 hour. Additionally, we created a Conditional Access policy that required Global Admins to sign in from a compliant device (Intune managed) and a trusted IP range. This ensured that even if credentials were stolen, the attacker couldn't activate the role without meeting these conditions.
A common misconfiguration is forgetting to create break-glass accounts. I've seen tenants locked out because the only Global Admin's account was deleted or MFA broke. In one case, a company lost access to their tenant for 24 hours because they had no break-glass account and the sole Global Admin's phone (used for MFA) was lost. Microsoft support had to intervene. The fix: always maintain two break-glass accounts with long passwords stored in a safe, and test them quarterly.
Performance considerations: PIM activation is near-instantaneous (sub-second). However, when using approval workflows, activation can take minutes if approvers are slow. For emergency scenarios, consider setting activation duration longer (e.g., 8 hours) to avoid needing frequent reactivation. Also, note that PIM requires Azure AD Premium P2 licenses for all users who will activate roles, not just Global Admins. This can be a cost consideration for large tenants.
The MS-102 exam tests Global Administrator best practices under objective 'Manage identity and access' (domain 1) and specifically 'Manage roles and role assignments' (1.2). Expect scenario-based questions where you must choose the correct configuration to secure privileged access.
Common wrong answers on exam questions: 1. 'Assign Global Administrator to all IT staff for simplicity' — This is wrong because it violates least privilege. The correct approach is to use PIM and limit permanent assignments. 2. 'Use a single break-glass account' — Wrong. Microsoft recommends at least two break-glass accounts to avoid a single point of failure. 3. 'Disable MFA for Global Admins to avoid lockout' — Wrong. MFA is critical; instead, create break-glass accounts for emergencies. 4. 'Store break-glass passwords in a shared document' — Wrong. This is insecure. Use a secure physical or digital vault.
Specific numbers and terms that appear verbatim on the exam:
The recommended maximum number of permanent Global Administrators: 2-4.
Default PIM activation duration: 1 hour.
Maximum configurable activation duration: 8 hours.
Break-glass accounts must be cloud-only (not synchronized).
PIM requires Azure AD Premium P2 licensing.
Edge cases the exam loves:
What if the only Global Admin leaves the company? Answer: Use break-glass accounts or contact Microsoft support.
What if you need to grant Global Admin to an external consultant? Answer: Use PIM with time-bound activation and approval.
Can you assign Global Admin via group membership? Yes, using Privileged Access Groups (preview) — but the exam may test that this is possible.
How to eliminate wrong answers: Understand the mechanism of PIM. If a question asks for 'permanent' assignment, look for options that mention 'eligible' or 'requires activation' — those are wrong if the requirement is permanent. Also, remember that break-glass accounts should not have MFA enforced (to avoid lockout) but should have strong passwords. Any answer suggesting MFA on break-glass accounts is likely wrong.
Limit permanent Global Administrators to 2-4; use PIM for all others.
Create at least two break-glass cloud-only accounts with permanent Global Admin role and long passwords stored securely.
PIM activation duration default is 1 hour, maximum 8 hours.
Require MFA and justification for all PIM activations.
Exclude break-glass accounts from Conditional Access and PIM policies.
Monitor audit logs for Global Admin activations and actions.
Use Conditional Access to enforce MFA, compliant device, and trusted location for admins.
PIM requires Azure AD Premium P2 licensing for all users who will activate roles.
These come up on the exam all the time. Here's how to tell them apart.
Permanent Global Admin
Always active; no need to activate
Higher risk of misuse if credentials are compromised
No MFA or approval required unless Conditional Access enforces
Simpler for daily operations but less secure
Recommended only for break-glass accounts
Eligible Global Admin (PIM)
Requires activation via PIM with MFA and justification
Reduces standing privileges; role activated only when needed
Can require approval from another admin
More secure but requires user training
Recommended for all regular administrators
Mistake
You should have at least 5 Global Administrators to ensure coverage.
Correct
Microsoft recommends 2-4 permanent or eligible Global Administrators. More than 4 increases the attack surface and makes auditing difficult. Use PIM to grant temporary access instead of adding permanent admins.
Mistake
Break-glass accounts should have the same MFA requirements as normal admins.
Correct
Break-glass accounts are for emergencies when normal MFA is unavailable. They should not have MFA enforced. Instead, use a very long, complex password stored securely. Test them periodically to ensure they work.
Mistake
PIM activation duration can be set to any value up to 24 hours.
Correct
The maximum configurable activation duration is 8 hours. The default is 1 hour. Longer durations increase risk, so use the minimum necessary.
Mistake
You can assign Global Administrator to a security group and manage membership.
Correct
As of the exam date, you cannot directly assign Global Administrator to a group. However, you can use Privileged Access Groups (preview) to grant the role to group members via PIM. The exam may test that role-assignable groups are supported for some roles but not Global Admin yet.
Mistake
Global Administrator is the only role that can manage other admins.
Correct
Other roles like Privileged Role Administrator can also manage role assignments, including Global Admin. However, Global Admin has the broadest scope. The exam may test the hierarchy of roles.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft recommends no more than 2-4 permanent or eligible Global Administrators. This minimizes the attack surface while ensuring redundancy. If you need more people to perform admin tasks, use lower-privilege roles like User Administrator or Exchange Administrator.
Create a new cloud-only user (not synchronized from on-premises) in Azure AD. Assign the Global Administrator role permanently. Set a long, complex password (20+ characters) and store it in a secure vault (e.g., Azure Key Vault, physical safe). Do not assign any licenses. Exclude the account from Conditional Access policies and PIM. Test the account periodically by signing in.
Directly, no — Global Administrator cannot be assigned to a group. However, you can use Privileged Access Groups (preview) to grant the role to members of a group via PIM. This is an emerging feature; check the latest Microsoft documentation for updates.
Global Administrator has full access to all Microsoft 365 services. Privileged Role Administrator can manage role assignments in Azure AD, including assigning Global Admin to others. However, Privileged Role Administrator cannot access data in Exchange Online or SharePoint Online by default. Both are highly sensitive.
Use the Azure AD audit log (Azure AD > Audit logs) and filter by activity 'Activate role' or 'Add member to role'. Also use the PIM audit history (Azure AD > Privileged Identity Management > Audit history). For a broader view, use the Unified Audit Log in Security & Compliance Center.
If you have break-glass accounts, use them to regain access. If not, you must contact Microsoft Support. They will verify your identity and can reset a Global Admin's credentials. This process can take hours to days, so break-glass accounts are critical.
PIM is for cloud roles in Azure AD. For on-premises AD, use Microsoft Identity Manager's Privileged Access Management (PAM) feature. However, you can integrate on-premises AD with Azure AD using Azure AD Connect, and then manage hybrid identities with PIM for cloud roles.
You've just covered Global Administrator Best Practices — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?