Microsoft Entra ID · Remaining Built-in Roles

Global Administrator

Can manage all aspects of Microsoft Entra ID and Microsoft services. This is the highest privilege role with the ability to reset any password, consent to any app, and elevate to Azure subscriptions.

Scope: Organization-wide administrative access across Microsoft Entra ID and all Microsoft 365 services

Permissions

  • Directory Resources - Full control over all directory resources
  • Password Reset - Reset passwords for any user including other Global Admins
  • App Consent - Consent to any application permissions on behalf of the organization
  • Azure Access - Elevate access to manage all Azure subscriptions
  • Security Policies - Configure all Conditional Access and Identity Protection policies
  • PIM Management - Manage PIM settings and role assignments
  • Emergency Accounts - Create and manage emergency access accounts
  • Federation - Configure federation and external identity providers
  • M365 Services - Manage all Microsoft 365 services (Exchange, SharePoint, Teams, etc.)

Common use cases

  • Initial tenant setup and baseline configuration
  • Emergency break-glass administrative access
  • Assigning administrator roles when no other admin exists
  • Configuring cross-tenant trust relationships
  • Managing critical security incidents requiring full access
  • Setting up federation and external identity providers

Best practices

  • Limit to 2-4 people maximum (Microsoft recommendation)
  • Use PIM for just-in-time access with approval workflow
  • Require phishing-resistant MFA (FIDO2 or certificate-based)
  • Create 2+ emergency access (break-glass) accounts
  • Never use for daily administrative tasks
  • Set maximum activation duration to 8 hours or less
  • Review assignments monthly
  • Test emergency access procedures quarterly

Security considerations

  • CRITICAL: Total tenant compromise if this role is compromised
  • Can reset ALL passwords including other Global Admins
  • Can disable Conditional Access and MFA requirements
  • Can consent to malicious apps on behalf of entire organization
  • Can elevate to Azure subscription access
  • Can access all mailboxes, files, and data
  • Should NEVER be permanently assigned - use PIM eligible

Official Microsoft Learn documentation →

Open the interactive RBACMap →