Whenever I take over a new Microsoft tenant, the first thing I check isn’t Conditional Access, MFA settings, or the security roadmap. Admin roles. Almost every time, I see the same issues:
- Too many global admins
- Roles assigned “just in case”
- Former contractors still privileged
- Admin access that hasn’t been reviewed in years
This isn’t a rare edge case.
It’s the default state of most environments. (Microsoft’s guidance to help mitigate critical threats to Active Directory Domain Services in 2025, 2025)This is also one of the quickest ways to lose control of your tenant.
Why Excessive Admin Roles Are a Real Risk
Admin roles are more than just permissions; they can significantly increase the impact of any security issue. The more privileged accounts you have:
- The more valuable your tenant becomes to attackers
- The harder it is to audit activity
- The easier it is for mistakes to turn into outages
I’ve seen tenants where more than 15 people had Global Admin access marked as 'temporary' for years. (ADMIN - Security, Productivity, and Network Enhancements for Microsoft 365 Administrators, 2025)No alerts.
No reviews.
No justification. That isn’t real security. It’s just wishful thinking.
Step 1: Start With a Brutally Honest Inventory
The first thing I do is pull a full admin role assignment list. I don’t optimize yet.
I haven’t removed anything yet. I just ask one question per role:
“Why does this account still need this?”
If there’s no clear answer, that role should be considered for removal soon.
Step 2: Global Admin Is Not a Default Role
If I could make one rule permanent, it would be this: Global Admin should be assigned rarely, and only when absolutely necessary. In real tenants, Global Admin is often used because:
- “It’s faster”
- “It fixes weird issues”
- “We might need it later”
This is how privilege sprawl begins. What I do instead:
- Reduce Global Admins to the absolute minimum
- Replace them with role-specific admins
- Force engineers to request elevation only when needed
If someone needs Global Admin access every day, the system design needs to be reviewed.
Step 3: Eliminate Standing Privilege
Permanent admin access creates serious risks.
Any account that:
- Logs in daily
- Checks email
- Browses the web
These accounts should not have permanent admin privileges.
This is where I push for:
- Just-in-time elevation
- Time-bound role assignments
- Approval-based admin access
If an attacker gets access to a user account with permanent privileges, a simple breach can quickly become a full takeover.
Step 4: Service Accounts and Automation Get Special Scrutiny
Service accounts can be some of the riskiest admin accounts in a tenant because:
- No one logs into them
- Passwords don’t rotate
- They’re excluded from MFA
- They’re forgotten (Are Forgotten AD Service Accounts Leaving You at Risk?, 2025)
When I audit admin roles, I look closely at:
- Why the account exists
- What role it actually needs
- Whether a managed identity could replace it
Most service accounts end up with too many permissions because people are hesitant to change them.This is exactly why attackers target them.
Step 5: Document Every Remaining Admin
If an admin role remains after cleanup, there should be a clear reason for it.
For every privileged account, I document:
- Owner
- Purpose
- Role justification
- Review date
If there’s no documentation, there should be no admin access. Taking this step often changes how IT teams handle admin rights. People are more careful about requesting admin rights when they know these requests will be reviewed.
The Result: Fewer Admins, More Control
After a proper audit, most tenants end up with:
- A reduction of 70 to 90 percent in permanent admin roles (Franco, 2025)
- Clear separation of duties
- Easier Conditional Access design
- Lower breach impact
Most importantly, you gain better visibility. You can’t secure what you don’t understand. Admin roles reveal how a tenant is really used.
Final Thought
If you haven’t reviewed admin roles recently, don’t assume you’re fine.
Assume you are at risk, and work to prove that you are not.
Security isn’t about adding more tools. It’s about removing unnecessary risk.
Learn more hands-on Microsoft identity and security lessons like this at ITBlogs.ca, based on what I actually see while managing production tenants day to day.
Jaspreet Singh
Author @ ITBlogs.ca
References
(December 8, 2025). Microsoft’s guidance to help mitigate critical threats to Active Directory Domain Services in 2025. Microsoft. https://www.microsoft.com/en-us/windows-server/blog/2025/12/09/microsofts-guidance-to-help-mitigate-critical-threats-to-active-directory-domain-services-in-2025?msockid=27fbd0edf66461f00a71c650f7ee6050
(2025). ADMIN - Security, Productivity, and Network Enhancements for Microsoft 365 Administrators. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoft_365blog/admin---security-productivity-and-network-enhancements-for-microsoft_365_adminis/964019
(May 31, 2025). Are Forgotten AD Service Accounts Leaving You at Risk?. The Hacker News. https://thehackernews.com/2025/06/are-forgotten-ad-service-accounts.html
Franco, M. (December 14, 2025). Eliminating standing admin privilege for Microsoft 365. CyberArk. https://www.cyberark.com/product-insights/eliminating-standing-admin-privilege-for-microsoft-365/