How to Audit Microsoft 365 Admin Roles and Permissions

Identity Security
April 13, 20266 min read

How to Audit Microsoft 365 Admin Roles and Permissions

Administrative access represents one of the highest-risk attack vectors in Microsoft 365 environments. A single compromised Global Administrator account can grant an attacker full control over an organization’s email, files, user identities, and collaboration platforms. For MSPs and MSSPs, regular auditing of administrative roles and permissions is not optional—it’s a critical security requirement.

Why Admin Role Auditing Matters

Unauthorized or excessive administrative privileges create multiple security vulnerabilities:

  • Lateral Movement: A compromised Exchange Admin can pivot to steal email data or add forwarding rules
  • Persistence Mechanisms: Attackers create hidden admin accounts for long-term access
  • Data Exfiltration: Global Admins can grant third-party apps dangerous permissions
  • Compliance Violations: Unmonitored admin access creates audit trail gaps
  • Accidental Misconfiguration: Over-privileged admins increase the risk of costly configuration errors

Regular auditing ensures that administrative access follows the principle of least privilege and remains aligned with organizational roles and responsibilities.

Step 1: Accessing the Admin Role Dashboard

The Microsoft Entra ID admin center provides the primary interface for role management.

Navigate to https://entra.microsoft.com and sign in with Global Administrator credentials. Then go to Roles and administrators. This dashboard displays:

  • All built-in and custom roles in your tenant
  • Current role assignments
  • Role membership trends
  • Activation history (if using Privileged Identity Management)

Step 2: Audit Global Administrator Assignments

Global Admins have unrestricted access to all Microsoft 365 services. Audit this critical role first.

Click Global Administrator in the Roles and Administrators page. Review the Assignments tab to see all accounts currently holding this role.

For each Global Admin, ask:

  • Is this account still necessary? Many organizations assign Global Admin during initial setup but never remove it
  • Is this a personal user account or a service account? Personal accounts with Global Admin create audit trail risk
  • Is MFA enabled? Non-MFA Global Admins are critical vulnerabilities
  • When was this account last used? Azure AD Sign-in logs show last successful sign-in dates

Best practice: Limit Global Admin assignments to 2-3 emergency break-glass accounts. Create role-specific admin accounts instead (see Step 3).

Step 3: Audit Role-Specific Administrators

Role-specific admins (Exchange Admin, Teams Admin, Security Admin, etc.) should own the vast majority of administrative responsibilities.

Navigate to Roles and administrators and review each built-in role:

Exchange Administrator

Manages email policies, mailbox configurations, and transport rules. Audit for:

  • Mailbox forwarding rules (used by attackers for persistence)
  • Inbox rules that hide suspicious activity
  • Delegate access to mailboxes
  • Calendar publishing settings

Teams Administrator

Manages Teams policies, channels, and meeting configurations. Verify:

  • Guest access restrictions
  • External sharing policies
  • Meeting recording retention
  • Mobile device policies

Security Administrator

Manages Microsoft Defender, DLP, and threat policies. Ensure:

  • Password spray detection policies
  • Suspicious activity alerts
  • Threat intelligence integration
  • Incident response playbook access

SharePoint Administrator

Manages SharePoint sites, file sharing, and governance. Audit for:

  • External sharing policies
  • Site collection admin assignments
  • Sharing link expiration
  • Data governance controls

Create a spreadsheet with columns for Role Name, Assigned Users, Assignment Date, Business Justification, and Renewal Date. This becomes your administrative access inventory.

Step 4: Check for Inactive Admins

Stale admin accounts create ongoing security risks. In the Microsoft Entra ID admin center, navigate to Manage -> Users -> All users and use the filter Show only inactive users (configure inactivity threshold to 30-90 days).

Cross-reference inactive users with administrative role assignments. Disabled or left-behind admin accounts should be:

  1. Immediately removed from all admin roles
  2. Disabled after a review period
  3. Deleted after 30-90 days (per your retention policy)

Document the deactivation in your audit trail.

Step 5: Audit with Activity Logs

Navigate to Audit in the Microsoft Entra ID admin center to track:

  • Role Assignment Changes: When accounts were added to or removed from administrative roles
  • User Account Modifications: Password resets, account enables/disables
  • Admin Activity: Configuration changes by administrators

Filter for role-related changes over the past 90 days. Look for:

  • Bulk role assignments (could indicate compromise or unauthorized access)
  • Role assignments outside of your change management window
  • Assignments to accounts not in your administrative staff roster

Export these logs for your audit trail and compliance documentation.

Step 6: Enable Privileged Identity Management (PIM)

PIM adds an approval workflow and time-limited activation for sensitive roles.

Navigate to Azure AD -> Privileged Identity Management -> Manage -> Roles -> Azure AD roles -> Settings. Configure:

  • Require approval to activate: Ensure role activation requires manager approval
  • Require MFA on activation: Enforce MFA even for accounts that have it enabled
  • Require justification: Require admins to state business reason for role activation
  • Maximum activation duration: Limit role activation to 4-8 hours (or your security standard)

PIM provides audit trails showing who activated which roles, when, and for what purpose.

Step 7: Review Service Principals and Application Permissions

Applications and service principals can be granted admin roles. Audit these:

In the Entra ID admin center, navigate to Applications -> Enterprise applications and filter for applications assigned administrative roles.

For each application:

  • Verify Necessity: Confirm the application actually needs admin-level permissions
  • Review Scope: Check the Permissions tab for overly broad API access
  • Check Consent: Verify admin consent was properly documented
  • Monitor Activity: Review activity logs for unusual operations by the service principal

Delete applications that no longer require admin roles.

Step 8: Create an Administrative Access Policy

Document your administrative access standards in a formal policy:

  • Which roles are approved (avoid unnecessary custom roles)
  • Who can request role assignments (e.g., IT director or department head approval)
  • Approval process and required justification
  • Maximum duration before re-approval is required
  • MFA requirements for all admin accounts
  • Audit and monitoring requirements

Share this policy with all administrators and IT leadership. Schedule quarterly reviews to ensure ongoing compliance.

Step 9: Automate Auditing with PowerShell

For MSPs managing multiple tenants, manual auditing doesn’t scale. Use PowerShell to automate:

# Connect to tenant
Connect-MgGraph -Scopes "Directory.Read.All"

# Get all directory roles with members
Get-MgDirectoryRole | ForEach-Object {
    $roleId = $_.Id
    $roleName = $_.DisplayName
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $roleId

    Write-Host "$roleName has $($members.Count) members"
    foreach ($member in $members) {
        Write-Host "  - $($member.DisplayName) ($($member.Mail))"
    }
}

Schedule this script weekly and compare output against your approved admin roster.

Step 10: Monitoring and Alerting

Configure alerts in the Microsoft Defender portal for administrative activity:

Navigate to Alerts & incidents -> Alert policies and create alerts for:

  • New admin role assignments
  • Admin accounts added to sensitive distribution lists
  • Bulk changes to sharing policies
  • Mailbox forwarding rules created by admins

Set notifications to your security team so suspicious activity is detected in real-time.

Conclusion

Regular auditing of Microsoft 365 administrative roles is the foundation of a secure cloud identity infrastructure. By implementing systematic reviews, removing inactive admins, enabling PIM, and monitoring activity, MSPs and MSSPs can significantly reduce the risk of privilege abuse and insider threats.

Administrative access should be treated as your organization’s most critical security asset. Audit it accordingly.

To assess your administrative access controls and receive recommendations for your Microsoft 365 environment, visit https://365securityassessment.com today.

admin rolesprivileged accesspermissions auditidentity
Back to Blog