Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator.

Why This Matters

Global Administrator is the most powerful role in Microsoft Entra ID, granting unrestricted access to all directory settings, user management, and security controls. Assigning this role to multiple users significantly expands your attack surface, as a single compromised Global Administrator account can lead to full tenant takeover. Using finer-grained roles limits privileges to only what each user needs, reducing blast radius and aligning with Zero Trust least privilege principles.

What Aether365 Checks

Aether365 verifies that privileged users in your Microsoft Entra ID tenant are assigned role-specific permissions rather than the Global Administrator role. This check appears in the Aether365 dashboard under the entra-id section.