Learn about extra admin accounts and how to mitigate this risk.
Having numerous accounts with high-level administrative roles increases the vulnerability
to
security breaches. Limiting the number of accounts with privileged roles helps reduce
the attack
surface, making it harder for attackers to infiltrate your organization's resources.
Attack Surface Risk Management defines extra admin
accounts as the total number of administrator accounts exceeding five.
To mitigate this risk:
-
Microsoft Entra ID: Ensure that there are no more than five people assigned the Global Administrator role.
-
Active Directory: Ensure that there are no more than five members of the Administrators group.
![]() |
NoteFor very large organizations, it may be necessary to exceed five admin accounts. However,
"Extra Admin Accounts" risks cannot currently be added to the exception list.
|