Administrative Role Overlap [CHK-1322]

It queries all activated directory roles via Microsoft Graph and looks for at least one non-trivial role (excluding Global Administrator, Global Reader, Directory Readers, Directory Synchronization Accounts, and Azure AD Joined Device Local Administrator) that has members assigned. If PIM  (Privileged Identity Management) is active, the check passes automatically.

Rationale

A compromised Global Administrator account gives an attacker full control over your entire Microsoft 365 environment — mailboxes, SharePoint, Teams, Azure AD, billing, and more. By assigning least-privilege roles (e.g., Exchange  Administrator, Teams Administrator, Billing Administrator), you limit the blast radius of a compromised account to  only the services that person actually manages. This aligns with the principle of least privilege and is a key factor in your Microsoft Secure Score.

Fix

  1. Go to the Microsoft Entra admin center → Roles and administrators.
  2. Review all users currently assigned the Global Administrator role.
  3. For each user, determine the minimum role required for their job function. Common examples:
    - Someone managing Teams → Teams Administrator
    - Someone managing Exchange → Exchange Administrator
    - Someone handling billing → Billing Administrator
    - Someone managing users/groups → User Administrator
  4. Assign the appropriate limited role to the user.
  5. Remove the Global Administrator assignment once the limited role is confirmed working.

Impact

  - If not resolved: All administrative tasks are performed under Global Administrator, meaning any single compromised admin account could lead to full tenant takeover.
  - If resolved: Administrative access is scoped per service area. A compromised account can only affect the specific workload it manages, significantly reducing risk.
  - Fix type: Manual only — there is no automated fix available because role assignments depend on each organization's specific staffing and responsibilities.