Learn about extra admin accounts and how to mitigate this risk.
Having numerous accounts with high-level administrative roles increases the vulnerability
to
security breaches. Limiting the number of accounts with privileged roles helps reduce
the attack
surface, making it harder for attackers to infiltrate your organization's resources.
Attack Surface Risk Management defines extra admin accounts as a total number of administrator accounts exceeding five.
To mitigate this risk:
-
Microsoft Entra ID: Ensure that there are no more than five users assigned the Global Administrator role. For more information, see Microsoft Entra ID guidance on role best practices.
-
Active Directory: Ensure that there are no more than five members of the Administrators group. For more information, see Microsoft's guide on reducing accounts in highly privileged administrative groups.
-
Google Workspace: Ensure there are no more than five users assigned to the Super Admin role.
 |
NoteFor very large organizations, it may be necessary to exceed five admin accounts. However,
"Extra Admin Accounts" risks cannot currently be added to the exception list.
|