Answer first

Short answer

Comprehensive guide to auditing Microsoft 365 administrative roles and permissions. Learn best practices for privileged access management.

365 Security Assessment focuses on Microsoft 365 and Azure security posture, prioritized findings, executive reporting, and remediation-ready guidance for teams evaluating this topic.

  • Who it helpsMSPs, IT leaders, security teams, and Microsoft 365 administrators
  • What you getClear context for evaluating Microsoft 365 and Azure security risk
  • Next stepSee the sample report
Identity Security

How to Audit Microsoft 365 Admin Roles and Permissions

By 365 Security Assessment Team ·

How to Audit Microsoft 365 Admin Roles and Permissions

Administrative access represents one of the highest-risk attack vectors in Microsoft 365 environments. A single compromised Global Administrator account can grant an attacker full control over an organization’s email, files, user identities, and collaboration platforms. For MSPs and MSSPs, regular auditing of administrative roles and permissions is not optional—it’s a critical security requirement.

Why Admin Role Auditing Matters

Unauthorized or excessive administrative privileges create multiple security vulnerabilities:

Regular auditing ensures that administrative access follows the principle of least privilege and remains aligned with organizational roles and responsibilities.

Step 1: Accessing the Admin Role Dashboard

The Microsoft Entra ID admin center provides the primary interface for role management.

Navigate to https://entra.microsoft.com and sign in with Global Administrator credentials. Then go to Roles and administrators. This dashboard displays:

Step 2: Audit Global Administrator Assignments

Global Admins have unrestricted access to all Microsoft 365 services. Audit this critical role first.

Click Global Administrator in the Roles and Administrators page. Review the Assignments tab to see all accounts currently holding this role.

For each Global Admin, ask:

Best practice: Limit Global Admin assignments to 2-3 emergency break-glass accounts. Create role-specific admin accounts instead (see Step 3).

Step 3: Audit Role-Specific Administrators

Role-specific admins (Exchange Admin, Teams Admin, Security Admin, etc.) should own the vast majority of administrative responsibilities.

Navigate to Roles and administrators and review each built-in role:

Exchange Administrator

Manages email policies, mailbox configurations, and transport rules. Audit for:

Teams Administrator

Manages Teams policies, channels, and meeting configurations. Verify:

Security Administrator

Manages Microsoft Defender, DLP, and threat policies. Ensure:

SharePoint Administrator

Manages SharePoint sites, file sharing, and governance. Audit for:

Create a spreadsheet with columns for Role Name, Assigned Users, Assignment Date, Business Justification, and Renewal Date. This becomes your administrative access inventory.

Step 4: Check for Inactive Admins

Stale admin accounts create ongoing security risks. In the Microsoft Entra ID admin center, navigate to Manage -> Users -> All users and use the filter Show only inactive users (configure inactivity threshold to 30-90 days).

Cross-reference inactive users with administrative role assignments. Disabled or left-behind admin accounts should be:

  1. Immediately removed from all admin roles
  2. Disabled after a review period
  3. Deleted after 30-90 days (per your retention policy)

Document the deactivation in your audit trail.

Step 5: Audit with Activity Logs

Navigate to Audit in the Microsoft Entra ID admin center to track:

Filter for role-related changes over the past 90 days. Look for:

Export these logs for your audit trail and compliance documentation.

Step 6: Enable Privileged Identity Management (PIM)

PIM adds an approval workflow and time-limited activation for sensitive roles.

Navigate to Azure AD -> Privileged Identity Management -> Manage -> Roles -> Azure AD roles -> Settings. Configure:

PIM provides audit trails showing who activated which roles, when, and for what purpose.

Step 7: Review Service Principals and Application Permissions

Applications and service principals can be granted admin roles. Audit these:

In the Entra ID admin center, navigate to Applications -> Enterprise applications and filter for applications assigned administrative roles.

For each application:

Delete applications that no longer require admin roles.

Step 8: Create an Administrative Access Policy

Document your administrative access standards in a formal policy:

Share this policy with all administrators and IT leadership. Schedule quarterly reviews to ensure ongoing compliance.

Step 9: Automate Auditing with PowerShell

For MSPs managing multiple tenants, manual auditing doesn’t scale. Use PowerShell to automate:

# Connect to tenant
Connect-MgGraph -Scopes "Directory.Read.All"

# Get all directory roles with members
Get-MgDirectoryRole | ForEach-Object {
    $roleId = $_.Id
    $roleName = $_.DisplayName
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $roleId

    Write-Host "$roleName has $($members.Count) members"
    foreach ($member in $members) {
        Write-Host "  - $($member.DisplayName) ($($member.Mail))"
    }
}

Schedule this script weekly and compare output against your approved admin roster.

Step 10: Monitoring and Alerting

Configure alerts in the Microsoft Defender portal for administrative activity:

Navigate to Alerts & incidents -> Alert policies and create alerts for:

Set notifications to your security team so suspicious activity is detected in real-time.

Conclusion

Regular auditing of Microsoft 365 administrative roles is the foundation of a secure cloud identity infrastructure. By implementing systematic reviews, removing inactive admins, enabling PIM, and monitoring activity, MSPs and MSSPs can significantly reduce the risk of privilege abuse and insider threats.

Administrative access should be treated as your organization’s most critical security asset. Audit it accordingly.

To assess your administrative access controls and receive recommendations for your Microsoft 365 environment, visit https://365securityassessment.com today.