Microsoft 365
Global Administrator
Grants full administrative access to all Microsoft 365 services. This is the highest-privilege role, providing unrestricted access across the entire tenant.
Scope: Organization-wide access across all Microsoft 365 and Azure services
Permissions
- Full administrative access to all Microsoft 365 services
- Manage Entra ID, Purview, Defender, and all other services
- Assign any role to any user
- Access and modify all organizational data
- Configure tenant-wide security policies
Common use cases
- Initial tenant setup and configuration
- Emergency break-glass access
- Cross-service administrative tasks
Best practices
- Limit to 2-5 people maximum
- Use PIM for just-in-time access
- Require phishing-resistant MFA
- Use dedicated admin accounts
Security considerations
- Highest privilege role - compromise affects entire organization
- Use break-glass accounts for emergency access
- Never use for daily administrative tasks
Common questions
When should I assign the Global Administrator role?
Assign Global Administrator when you need to: Initial tenant setup and configuration; Emergency break-glass access; and Cross-service administrative tasks. It is part of Microsoft 365 and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Global Administrator role do?
The Global Administrator role grants permissions including: Full administrative access to all Microsoft 365 services; Manage Entra ID, Purview, Defender, and all other services; Assign any role to any user; Access and modify all organizational data; and Configure tenant-wide security policies. See the Permissions section above for the full list.
What are the security risks of the Global Administrator role?
Key considerations when assigning Global Administrator: Highest privilege role - compromise affects entire organization; Use break-glass accounts for emergency access; and Never use for daily administrative tasks. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.