New role Global Reader

This article will describe the new role Global Reader in Azure.

It’s a fact that still a lot of customers are not able to implement MFA for their administrator accounts. This is a big issue that organisations should consider priority 1. We also saw this in a session at Microsoft Ignite this year:

And when I work on projects for clients, I also see a lot of basic issues that should be attended to immediately. Like the lack of MFA on administrator accounts. Which is just a one-click setup if you use the build-in Compliance Policy.

Another thing that pops up a lot is the huge use of Global Administrator accounts. This should really be limited down to only a few (Microsoft recommends five at maximum). We should work with all the roles available to us in Azure for our IT admins to let them do their daily work. For example someone who has to administer the Intune part of Azure, you could simply only give the Intune Administrator role. And Microsoft also brings out new roles on regular basis.

Or even better make use of PIM (Privileged Identity Management) if the customer has the subscriptions at least. If you want more info on PIM, you can find it here, I’ll also dive deeper in this in an upcoming blog post: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

In this blog post I’ll share some thoughts on a new role that has been added in the past weeks: the Global Reader role.

I think most company’s should ask their self the question concerning the huge amount of Global Administrator roles given away to people: “do they really need this?”. Because what is going to happen when an account gets compromised? The Global Administrator has full access to everything. So it would be very easy if someone got in, to just delete all their resource groups with all their resources in it. A simple lock on a resource group won’t prevent this. You have access to everything. I can hear you asking yourself now: “But this will never happen, all my Global Administrators have MFA enabled”. But does MFA really keep you that safe? The more Global Administrator accounts you have in your organisation, the more can get compromised, no? And does MFA really catch everything? It doesn’t. So you have to keep the level of that at minimum. Though, I can understand that some people in the organisation need to see everything, but do they need to do everything? I really don’t think so. In my opinion you should have 1 or 2 Global Administrators at maximum within your organisation. This together with a glass break account (just in case something goes really wrong), that you keep in a safe for disaster scenario’s.

And it’s really simple. The IT administrators just get the roles they need to do their work. Or with PIM they request the roles they need to do their work, and they get them for a limited time. And all the people who want full access to the Azure tenant, but don’t really work with it, they just need to see things, you give them the Global Reader role.

The Global Reader role is at this moment in Public Preview. So you can take use of this feature already in your tenant. The Global reader role  is a read-only version of the Global administrator role, which allows you to view all settings and administrative information across Microsoft 365. You can use the Global reader role for planning, audits, and investigations. Global Reader can also be used with other limited administrative roles, such as Exchange administrator, making it easier to work without Global administrator privileges.

Do take care though, it has a few of limitations at this point:

• SharePoint admin center – SharePoint admin center does not support the Global reader role. You won’t see ‘SharePoint’ in left pane under Admin Centers in Microsoft 365 admin center.
• OneDrive admin center – OneDrive admin center does not support the Global reader role.
• Azure AD portal – Global reader can’t read the provisioning mode of an enterprise app.
• M365 admin center – Global reader can’t read customer lockbox requests. You won’t find the Customer lockbox requests tab under Support in the left pane of M365 Admin Center.
• M365 Security center – Global reader can’t read sensitivity and retention labels. You won’t find Sensitivity labels, Retention labels, and Label analytics tabs in the left pane of the M365 Security center.
• Teams admin center – Global reader cannot read Teams lifecycle, Analytics & reports, IP phone device management and App catalog.
• Privileged Access Management (PAM) doesn’t support the Global reader role.
• Azure Information Protection – Global reader is supported for central reporting only, and when your Azure AD organization isn’t on the unified labeling platform.

These limitations are currently in development.

So use my advice, keep your Global Administrators at a minimum, with a maximum of 5 at most! Use the Global Reader role as much as you can for people that don’t need to do anything but reporting and auditing.

Happy testing!

More articles:

• Enable Sandbox and use it for intunewin packaging
• MDATP & Chocolatey: we Belgians love our Chocolate(y’)s
• Azure Heroes: Community Hero