Microsoft Entra tenant with unsecure delegation of Global Admin role
Cayosoft Threat Definition CTD-000023
Tune into Guardians of the Directory Podcast.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
Having only one global administrator account is a potential threat to your environment. Too few Global Admins reduces oversight and resilience; too many increases the chance one account is breached.
- Severity: Low
- Platform: Entra ID
- Category: Tenant-wide, Delegation
- MITRE ATT&CK Tactics: Persistence
- MITRE D3FEND Tactics: User Account Permissions
Description
Having only one global administrator account is a potential threat to your environment. There should be at least two accounts for redundancy and audit purposes. With only one global administrator a threat actor can perform malicious activities and she will not be discovered by another administrator. However, too many global administrator accounts increase the possibility that one of the accounts will be breached by a threat actor.
Real-World Scenario
A single Global Admin manages the tenant without backup. An attacker phishes that admin and adds a second, hidden Global Admin via the Roles and administrators blade to ensure persistence. With broad privileges, the attacker creates access keys, adds app secrets, and lowers conditional access policies, avoiding obvious sign-in anomalies. No other Global Admin exists to notice the change or to revoke the new assignment. Cayosoft Guardian flags the risky delegation by checking the Global Admin membership count against policy (min/max) and surfacing who holds the role.
Stop Privilege Escalation—Then Undo It with Cayosoft Guardian
Real-time alerts across AD & Entra ID with one-click rollback.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) Open All Alerts and search for CTD-000023 or Microsoft Entra tenant with unsecure delegation of Global Admin role.
3.) Open any alert and Click for details (from Raise Threat Alert action).
4.) Evidence:
- Global Admins
Remediation Steps
- To review accounts with Global Admin role:
- Log in to Microsoft 365 admin center as a Global Administrator.
- Select Users.
- Select Active Users.
- Select Filter then select Global Admins.
- Review the list of Global Admins.
- To assign or de-assign Global Administrator role using the Microsoft Entra admin center follow the instructions.
How to Prevent It
Cayosoft Guardian can proactively detect and alert on Microsoft Entra tenant with unsecure delegation of Global Admin role. It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.
FAQ
It refers to a situation where the Microsoft Entra tenant has an improper setup of Global Administrator accounts — typically when there is only one Global Admin or too many. This imbalance creates a security risk because one account can be a single point of failure or an excessive number can expand the attack surface.
Because if only one Global Administrator exists and that account is compromised, an attacker can silently add new admins, lower security settings, and maintain control. Without another Global Admin to detect or reverse these actions, the entire tenant becomes vulnerable to persistent attacks.
Administrators should ensure at least two Global Admins exist for redundancy, remove unnecessary permanent admin rights, and use Privileged Identity Management (PIM) for temporary elevation. Continuous monitoring with Cayosoft Guardian can also detect when admin counts fall outside approved thresholds.
References
- Microsoft 365 admin center: https://admin.microsoft.com
- Microsoft Entra admin center — Roles and administrators: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AllRolesBlade
- Assign a role in the portal: https://docs.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal#assign-a-role
Final Thought
Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like Microsoft Entra tenant with unsecure delegation of Global Admin role, you reduce attack surfaces and strengthen your organization’s overall security posture.