Global Admin Cleanup in Microsoft 365

Global Administrator gets overused for one simple reason: it solves today's problem fast.

That shortcut becomes expensive later. A tenant ends up with current admins, former MSP accounts, founder accounts, project leftovers, emergency accounts, maybe a vendor login or two, all sitting in the same highest-privilege role. Nobody would design it that way from scratch, but plenty of tenants drift into it.

Every extra Global Admin expands blast radius. It widens the set of people or credentials that can change security settings, reset privileged accounts, grant consent, and generally make a bad day much worse.

First, get the list on paper

Do not start this clean-up from memory or from a Teams thread.

Get-MgDirectoryRole | Select-Object DisplayName, Id
Get-MgDirectoryRoleMember -DirectoryRoleId "<role-id>" | Select-Object Id

Export the membership, then label each entry. For every Global Admin, answer:

1. Is this a named human account?
2. Is it still active?
3. Does the work actually require Global Admin?
4. If not, which narrower built-in role fits better?
5. Who approved it and when does it get reviewed?

That alone will surface most of the problem.

Narrow roles usually do the job

Microsoft gives you a long list of built-in roles for a reason. A lot of work that gets done with Global Admin could be handled by something more specific:

Task	Usually better role
Exchange admin work	Exchange Administrator
SharePoint admin work	SharePoint Administrator
Intune device work	Intune Administrator
MFA and method changes	Authentication Administrator
User lifecycle and groups	User Administrator or Groups Administrator

That will not solve every edge case, but it removes a lot of lazy overreach.

A practical cleanup sequence

The sequence that works well is usually:

1. Remove ex-employees and stale partner accounts first.
2. Separate emergency access accounts from daily admin accounts.
3. Replace obvious misuse with narrower roles.
4. Put stronger protection around the admin population.
5. Review whether any standing Global Admins still need to stand.

If you have Microsoft Entra Privileged Identity Management, this is where it helps. Instead of handing out broad standing access, you can move some work to eligible activation with approval and audit trails. If you do not have PIM, you can still reduce exposure with tighter roles and better review discipline.

Emergency access is not part of normal admin sprawl

Break-glass accounts should exist, but they should be treated as emergency accounts, not as extra comfortable admin logins.

A simple target state for many SMEs looks like this:

Role category	Healthy shape
Emergency access	Two controlled emergency accounts
Standing Global Admins	As few as you can justify, often zero to two
Day-to-day admin work	Specific built-in roles
Vendor access	Time-bound and reviewed

That last line matters. Vendor access tends to linger because it is slightly awkward to remove and might be needed "just in case". That is not a governance model. That is procrastination with privileges attached.

Keep an evidence trail

This work is much easier to defend if you keep a lightweight record:

• the role membership export before and after
• the reason any standing Global Admin remains
• the owner of each emergency account
• the control used to protect admin sign-in

Those notes help later with audits, customer questions, insurance forms, and internal debates about whether the clean-up was real or cosmetic.

What a good outcome feels like

You should be able to name every remaining Global Admin without looking it up, explain why each one exists, and show when that decision gets reviewed again.

If the answer is still "we left that in place because it was easier", the cleanup is not done yet.

References

• Microsoft Entra built-in roles
• Assign Microsoft Entra roles
• Manage emergency access accounts in Microsoft Entra ID
• Microsoft Entra Privileged Identity Management