Global Administrator role has fewer than 5 members
entra_global_admin_in_less_than_five_users
Microsoft Entra Global Administrator assignments are evaluated by counting current role members per tenant and identifying when the number of assignees is 5 or more.
Risk
Having 5+ Global Administrators expands the privileged attack surface. Compromised credentials or tokens can enable tenant-wide changes, disable security controls, exfiltrate data, and create persistence, impacting confidentiality, integrity, and availability across Entra, Microsoft 365, and Azure.
prowler azure --checks entra_global_admin_in_less_than_five_users
Recommendation
Limit the Global Administrator role to fewer than 5 users.
- Apply least privilege; use narrower roles where possible
- Use PIM for just-in-time, no standing access
- Enforce MFA and dedicated admin accounts
- Run access reviews regularly and keep cloud-only
break-glassaccounts for emergencies
Remediation
Remove-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'").Id -DirectoryObjectId '<example_user_id>'
- Sign in to the Microsoft Entra admin center
- Go to Identity > Roles & admins > Global Administrator
- Select View assignments (or Assignments)
- Remove members until the total Global Administrator assignments are fewer than 5
- Save changes
Source Code
Resource Type
NotDefined
References