Back to blog
·Christian

Too Many Global Admins? Your Microsoft 365 Tenant Is a Breach Waiting to Happen

microsoft-365securitydelegation

Microsoft's own security guidance is clear: keep Global Admin accounts to a minimum — ideally two, never more than five. Yet most small and mid-size organizations have far more than that.

It's not carelessness. It's a workaround for a real problem.

How it happens

The pattern is always the same. IT gets overwhelmed with routine requests — password resets, new hire accounts, license changes. Someone in HR or ops asks for admin access so they can handle it themselves. IT obliges because the alternative is a growing ticket queue and frustrated colleagues.

Six months later, eight people have Global Admin. Some of them have left the company. Nobody's sure which accounts are still active.

Why it matters

Every Global Admin account is a potential entry point for an attacker. A compromised Global Admin can:

  • Read any mailbox in the organization — emails, attachments, calendar
  • Reset any password, locking out legitimate users
  • Delete users and data — including backups if retention policies aren't configured
  • Disable MFA for other accounts, creating a cascading compromise
  • Register applications with broad permissions, establishing persistent backdoor access
  • Modify conditional access policies, removing security controls entirely

It's not hypothetical. Phishing attacks specifically target admin accounts because the payoff is total control of the tenant. Microsoft's 2025 Digital Defense Report found that admin account compromise was involved in over 60% of serious Microsoft 365 security incidents.

The Entra ID built-in roles aren't enough

Microsoft does offer scoped admin roles — User Administrator, Password Administrator, License Administrator. In theory, these solve the problem.

In practice, they fall short for most organizations:

They're still too broad. A User Administrator can manage all users in the tenant, including other administrators. That's a lot of blast radius for someone who just needs to onboard new hires in their department.

There's no unified interface. Each role still requires navigating the admin center or Azure portal. Most non-IT staff find these interfaces overwhelming. They'll either make mistakes or keep asking IT for help anyway.

No audit trail at the task level. Entra ID logs admin actions, but the logs are buried in Azure Monitor and aren't designed for non-technical review. Good luck getting your HR director to read a KQL query.

Role assignment is all-or-nothing. You can't say "this person can create users but only with these specific licenses." Scoping by department, license type, or task isn't supported natively.

What actually works

The solution isn't more admin roles — it's removing the need for admin access entirely.

A delegation layer sits between your team and the Microsoft Graph API. It authenticates with OAuth (the same protocol the admin center uses), but only exposes the specific operations each person needs. The key principles:

Least privilege by design

Instead of granting an Azure role and hoping people stay in their lane, you define exactly what each person can do. Create users — yes. Delete the tenant — obviously not. The system enforces the boundaries, not a policy document nobody reads.

Role-based access with teeth

A three-tier model (Admin, Member, Viewer) covers most organizations. Members can manage users and groups. Viewers can see the user list but can't change anything. Admins handle billing and settings. Nobody needs Global Admin.

Immutable audit log

Every action is logged with the actor, target, timestamp, and full context. The log can't be edited or deleted — not by admins, not by anyone. When your security team asks "who did this?", you have the answer in seconds.

Familiar interface

Non-IT staff don't need to learn the Azure portal. They get a clean, purpose-built interface that looks like the tools they already use. Click a user, reset their password, assign a license. Done.

The math on risk reduction

Say your organization has 8 Global Admins today. Each one is a potential phishing target with total tenant access. You need two for break-glass scenarios.

By moving the other 6 to a scoped delegation tool, you've:

  • Reduced your Global Admin attack surface by 75%
  • Eliminated their ability to access mailboxes, modify security policies, or register apps
  • Added a complete audit trail for every action they take
  • Made compliance reviews dramatically simpler

The 6 people who lost Global Admin? They can still do everything they actually needed to do. They just can't do the things that would compromise the tenant.

Getting started

You can audit your current Global Admin count in the Microsoft 365 admin center under Users → Active users → filter by Admin roles. If you see more than five, it's time to act.

UserDesk is one way to implement this delegation model. See exactly how it works in the interactive demo, or read more about the security architecture — including what happens if our own systems are breached (spoiler: your tenant stays safe because we never store your credentials).

If you're an MSP managing multiple client tenants, this problem multiplies. See how multi-tenant delegation works.

Get M365 management tips

Practical guides on delegation, security, and reducing IT overhead. No spam, unsubscribe anytime.

Try UserDesk free for 14 days

Connect your Microsoft 365 tenant in under 2 minutes. Let HR and office coordinators handle routine tasks — while IT focuses on what matters.

Start free trialTry the demo