Dex

๐Ÿ›ก๏ธ Recipe ยท Security & Compliance

Audit Privileged Admin Roles for MFA, Stale Accounts, and Least Privilege

Identify Global Admins and other privileged role holders, verify MFA coverage, detect stale accounts, and produce a least-privilege cleanup plan.

Complexity

Intermediate

Impact

security + compliance + identity + governance + audit

Context

Why This Matters

Why this audit matters

Privileged roles such as Global Administrator, Application Administrator, and Privileged Role Administrator grant tenant-wide control over identity, apps, and role assignments. A single compromised or stale privileged account is one of the most common paths to a full tenant breach.

Microsoft's Secure Score and the CISA SCuBA baseline both recommend:

  • No more than 2โ€“4 permanent Global Administrators
  • 100% MFA coverage on all privileged accounts, ideally phishing-resistant
  • No stale (inactive > 90 days) privileged accounts
  • Just-in-time activation via Privileged Identity Management (PIM) rather than permanent role assignments

When to run this recipe

  • Quarterly as part of an access review cadence
  • Before and after any M&A / org change
  • When preparing for a security audit (SOC 2, ISO 27001, HIPAA)
  • After any suspected admin compromise

Expected Outcomes

What you'll have after running this recipe

  • A complete inventory of every user holding Global Administrator, Application Administrator, or Privileged Role Administrator
  • MFA status and registered authentication methods for each privileged user
  • Last interactive and non-interactive sign-in timestamps
  • Staleness flag (accounts inactive > 90 days)
  • Risk rating (Critical / High / Medium / Low) per account
  • A downloadable CSV report suitable for audit evidence
  • A prioritized least-privilege cleanup plan

Risks & Considerations

Warnings and gotchas

  • Do NOT remove your own Global Admin role without first confirming at least one other enabled, MFA-protected Global Admin exists โ€” you can lock yourself out of the tenant.
  • Maintain two break-glass (emergency access) accounts with permanent Global Admin and strong passwords stored offline. These accounts will legitimately appear stale; exclude them from cleanup.
  • signInActivity requires an Entra ID P1 or P2 license and the AuditLog.Read.All permission.
  • The roleAssignments endpoint only returns active (permanent) assignments. If you use PIM, also query roleEligibilitySchedules for eligible-but-not-active assignments.
  • Service principals and groups can also hold privileged roles โ€” don't assume every principal is a user.
  • Never bulk-disable privileged accounts without a change window and stakeholder sign-off.

Required Permissions

PermissionWhy It's Needed
RoleManagement.Read.DirectoryRead directory role definitions and active role assignments
Directory.Read.AllResolve user objects from principal IDs
User.Read.AllRead user properties including accountEnabled and signInActivity
AuditLog.Read.AllRead signInActivity (last sign-in timestamps) on user objects
UserAuthenticationMethod.Read.AllEnumerate registered MFA authentication methods per user

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Audit all users holding Global Administrator, Application Administrator, and Privileged Role Administrator roles in our tenant. For each: verify MFA enforcement and method strength, pull last sign-in activity, flag accounts inactive for more than {stale_days} days, and produce a risk-ranked CSV plus a least-privilege cleanup plan (including PIM recommendations).
Try in Dex CoAdmin