BG Beter Geregeld ICT
Access reviews · 2 min leestijd · 19 January 2026

Reviewing the Global Admin role: the highest-risk category

If there is one category where review discipline is absolutely critical, it's Global Admin and equivalent roles. Here is the dedicated procedure that sits on top of your standard access review.

Global Admin, AWS root, Salesforce system admin, GitHub org owner — these roles receive separate treatment in every review. No bulk processing, no sampling: full visibility, every time.

What do you review for each Global Admin?

  • Still employed / in role?
  • Actually used in the past quarter? (log check)
  • Compliant with PAM policy — dedicated admin account, hardware MFA, not used for day-to-day work?
  • Is there a backup person who can take over the same access? (minimum 2, never just 1)
  • Password rotated since the role was assigned?

What if someone hasn't used it in 90 days?

Red flag. Either they don't need it — revoke it. Or they're quietly doing admin work through their regular user account (policy violation). Either way: a conversation is required.

Just-in-time as the mature solution

In Entra ID you can use PIM: Global Admin rights are not permanently active — a user activates them for a maximum of 8 hours with peer approval. Every activation is logged as evidence. See M365 governance for the setup.

Reporting

Include a dedicated section in the review report — "Privileged Access Review" — signed off by management. Even when no changes were made.

See also: PAM article, review pillar.

Onderwerpen

#privileged-access #access-review #global-admin

Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia

Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Access reviews

Periodic access reviews: process, frequency, and audit evidence

An access review is an audit requirement that nearly every SMB struggles with. Once you set it up properly the first time, the second round won't cost you a whole week.

2 min
Access reviews

Reviewing service accounts — the invisible majority

Alongside real employees, you have service accounts: API integrations, scheduled jobs, automation. Often there are more of these than human users. Who owns them, and how do you review them?

2 min
Access reviews

Dealing with "former employees" in your review — the cleanup round

Your first review turns up 8 accounts belonging to people who left years ago. That's not a problem — that's progress. Here's how to handle it without it turning into a blame session.

2 min
Access reviews

Access review scope: what's in, what's out?

Not every user, not every system needs to be included in every review. Here's how to define your scope so it stays manageable — and defensible in an audit.

2 min
Access reviews

Bulk decisions in access reviews: faster without being careless

80% of the rows in a review are routine. You want to handle those in a single click. How do you do that without accidentally missing a critical row?

2 min
Access reviews

Evidence for access reviews: what to keep and where

A review without evidence is, as far as an auditor is concerned, a review that never happened. Here's what to retain, in what format, and for how long.

2 min
← Alle artikelen in "Access reviews"