Microsoft 365

Global Administrator

Grants full administrative access to all Microsoft 365 services. This is the highest-privilege role, providing unrestricted access across the entire tenant.

Scope: Organization-wide access across all Microsoft 365 and Azure services

Permissions

  • Full administrative access to all Microsoft 365 services
  • Manage Entra ID, Purview, Defender, and all other services
  • Assign any role to any user
  • Access and modify all organizational data
  • Configure tenant-wide security policies

Common use cases

  • Initial tenant setup and configuration
  • Emergency break-glass access
  • Cross-service administrative tasks

Best practices

  • Limit to 2-5 people maximum
  • Use PIM for just-in-time access
  • Require phishing-resistant MFA
  • Use dedicated admin accounts

Security considerations

  • Highest privilege role - compromise affects entire organization
  • Use break-glass accounts for emergency access
  • Never use for daily administrative tasks

Common questions

When should I assign the Global Administrator role?

Assign Global Administrator when you need to: Initial tenant setup and configuration; Emergency break-glass access; and Cross-service administrative tasks. It is part of Microsoft 365 and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Global Administrator role do?

The Global Administrator role grants permissions including: Full administrative access to all Microsoft 365 services; Manage Entra ID, Purview, Defender, and all other services; Assign any role to any user; Access and modify all organizational data; and Configure tenant-wide security policies. See the Permissions section above for the full list.

What are the security risks of the Global Administrator role?

Key considerations when assigning Global Administrator: Highest privilege role - compromise affects entire organization; Use break-glass accounts for emergency access; and Never use for daily administrative tasks. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →