Description
- Type: CUSTOMER
- Severity: WARNING / CRITICAL
- Protection against: ERROR
- CIS: M365 1.1.3 - (L2) Ensure that between two and four global admins are designated
This Customer Check verifies via Secure Score how many accounts with global admin rights exist in the tenant.
Why this check?
It is recommended not to have too many or too few users with global admin rights. The advice is to keep the number between 2 and 4. By having at least 2 global admins, there is a backup in case 1 admin has login issues or, for example, leaves the company. The maximum of 4 is suggested by Microsoft itself and is also recommended by CIS.
CIS Benchmarks
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 1.1.3 - (L2) Ensure that between two and four global admins are designated
What are the possible outcomes of the check?
This check has three possible outcomes. In Attic, this is reflected as follows:
- Okay: The number of global admins is between 2 and 4
- Warning: The number of global admins is above 4
- Critical: There is only 1 global admin in the tenant
How should this be followed up?
If the output is Warning , we advise reducing the number of global admins to a maximum of 4.
If the output is Critical , we advise creating a 2nd or Emergency admin account. The login details for the emergency account can be stored in a vault and truly serve as a backup depending on your situation.
Manage emergency access admin accounts - Azure AD | Microsoft Docs
Comments
0 comments
Please sign in to leave a comment.