Microsoft 365
Global Administrator
Grants full administrative access to all Microsoft 365 services. This is the highest-privilege role, providing unrestricted access across the entire tenant.
Scope: Organization-wide access across all Microsoft 365 and Azure services
Permissions
- Full administrative access to all Microsoft 365 services
- Manage Entra ID, Purview, Defender, and all other services
- Assign any role to any user
- Access and modify all organizational data
- Configure tenant-wide security policies
Common use cases
- Initial tenant setup and configuration
- Emergency break-glass access
- Cross-service administrative tasks
Best practices
- Limit to 2-5 people maximum
- Use PIM for just-in-time access
- Require phishing-resistant MFA
- Use dedicated admin accounts
Security considerations
- Highest privilege role - compromise affects entire organization
- Use break-glass accounts for emergency access
- Never use for daily administrative tasks