I thought I'd jot down something for this as I don't believe most know how powerful global administrator really is in Microsoft Azure.
What is Global Administrator?
Global Administrator is the most permissive role within Azure. It gives you access to everything within the platform, from full access to Microsoft Entra to assigning permissions to all resources.
Why is it painful for Security people?
The reason this role is so painful for security people is what you can do with global administrator. If a malicious actor ever gained access to a user account with global administrator attached, they can do everything within the tenant without limit.
Not long ago this wasn't that well known but Microsoft have since updated their documentation. Global Administrator has a semi-secretive function where you can elevate your access even further then what you think you can.
Within Microsoft Azure, if you head to the tenant properties there will be a section near the bottom of the page
Effectively Global Administrator will give you access to all subscriptions, all Management Groups...everything. When you enable this function, your account gains owner access to the entire Microsoft Azure Subscription structure.
Sooo how should you control this more effectively?
Privileged Identity Management is the answer to that question. To effectively control what users do within Microsoft Azure, a properly defined PIM policy should be wrapped around your Global Administrator users, and keeping your global administrator users to a minimum.
For further information around this, check out the below links
Comments