Azure AD Roles: Global Admin Assignment should be a Last Resort
Azure Active Directory has many components to it, with many features and capabilities. These different possibilities necessitate the creation of a Role system in Active Directory, to define any users responsibilities. As of writing there are 91 built-in Azure Active Directory roles that can be assigned.
This many options and complexity creates an ecosystem where an employee can solely be tasked with managing a compliance tool like Microsoft Purview without ever needing to touch or be aware of how a security tool like Microsoft Defender works. In order to manage Purview in our example, the employee named Sam is assigned the Global Admin role. This is done because we easily know that Sam will absolutely have the permissions to do his job then. This creates a scenario of excess permission though, as Sam now has the freedom to change configurations in Defender, disable Conditional Access Policies, and a whole host of other actions that can cripple a network. This could have been avoided by instead assigning Sam to the Compliance Administrator role, granting all the access they needed without putting the rest of the network at risk.
The previous example is an example of how frivolous assignment of the Global Admin role can be detrimental to tenant security. The GA role is all-powerful and can do most anything they want to in a tenant. GA can add new users and apps, they can change security settings, and they can take over Azure RBAC ecosystem.
How can you defend against these actions? It won't be Conditional Access Policies, as any grant and session controls in place just be turned off by the GA. It won't be Privileged Identity Management, as the temporary GA can just permanently assign themselves as GA anyways. These are good measures to have in place, but they cannot be your failsafe.
The only way to protect your network yourself from a user having GA power is to not assign the role to them in the first place. It is irresponsible and lazy to give GA power to any normal user other than absolutely necessary. Microsoft has defined a bevy of roles for use and those will be able to cover your use case without putting your tenant at risk. Microsoft itself recommends a maximum of 5 GAs for a tenant.
Global Admin accounts should be treated with the utmost caution. Because of their power, all security measures should be in place for those users (like PIM and CA mentioned before). Being cognizant and deliberate with what roles are assigned to a user follows the principle of least privilege, granting only what is necessary for the user's duties.
Our team at Senserva has studied the Azure AD Roles thoroughly, ranking them based on their relative power. We incorporate that into our Scanner solution, providing cross-reference knowledge that lets you know where your biggest risk lies. Contact us today to speak to our team and see how we do this.
Sources:
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user
https://learn.microsoft.com/en-us/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5