top of page
Search

Stop Using Global Admin to Manage Conditional Access

  • Writer: Kyle Cira
    Kyle Cira
  • Apr 15
  • 2 min read
Conditional Access Policy Exclusion Risk
Conditional Access Policy Exclusion Risk

If you’re using Global Administrator to create or modify Conditional Access (CA) policies in Microsoft 365, it’s time to rethink that approach.


This is one of the most common issues I see during Microsoft 365 Security Assessments—and it introduces unnecessary risk.


The Real Problem

Conditional Access is one of the most powerful security controls in Microsoft 365. But it’s also one of the easiest places to make a mistake.

A scenario I see all the time:

  • An admin creates or modifies a CA policy

  • Accidentally excludes themselves while saving the policy


The result?

Global Admin accounts end up excluded from MFA or other critical protections. This creates a dangerous gap where your most powerful accounts are suddenly less protected than standard users.


The Better Approach: Use Conditional Access Administrator

Instead of using Global Admin, use the Conditional Access Administrator role to manage CA policies.

Benefits:

  • Limits permissions to only what’s needed

  • Reduces impact if the account is compromised

  • Aligns with the principle of least privilege

If a Conditional Access Administrator account is breached, the attacker’s capabilities are far more limited compared to a Global Admin compromise.


Layer It with PIM

To take this even further, combine this approach with Privileged Identity Management (PIM):

  • Make admin roles eligible instead of always active

  • Require just-in-time activation

  • Add approval workflows if needed

  • Automatically expire elevated access

This ensures that even your delegated admin roles are not persistently exposed.


Best Practice Summary

Do this instead:

  • Use Conditional Access Administrator for CA policy management

  • Make sure to not exclude your account when managing CA policies.

  • Reserve Global Admin for only what truly requires it

  • Enable PIM for all admin roles (except break glass accounts)


Final Thoughts

Conditional Access is designed to protect your environment—but if it’s managed with excessive privilege, it can become a point of failure.

Reducing privilege doesn’t just improve security—it reduces the likelihood that a simple mistake turns into a major incident.


Work With Redeemer Cyber

At Redeemer Cyber, we help organizations implement secure, practical, and real-world-tested Microsoft 365 configurations aligned to CIS benchmarks.


Contact us today to secure your Microsoft 365 environment the right way.

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page