Project 2 – Change Global Administrator to Privileged Role Administrator

This project demonstrates a governance-driven identity management task in Microsoft Entra ID: replacing a Global Administrator (GA) assignment with a more appropriate Privileged Role Administrator (PRA) role. This supports least-privilege design, limits risk exposure, and exercises role reassignment processes in a real-world tenant simulation.

Scenario

A user currently holds the Global Administrator role in a Microsoft Entra tenant. As part of a security review, the tenant owner decides to remove this broad privilege and instead assign the Privileged Role Administrator role to the user. The PRA role allows management of directory roles but does not include full tenant authority. This change ensures better alignment with the user’s responsibilities.

Step-by-Step Action Flow (Simulated)

Navigate to Microsoft Entra Admin Center → Identity → Users

Locate the user janeadmin@contoso.com

Remove Global Administrator from Assigned roles

Assign the role Privileged Role Administrator

Confirm the user now appears with only the PRA role

Optional: log in as janeadmin@contoso.com and validate role management behavior in Entra portal

Entra Control Stack Mapping Layer Description Layer 1 – Authority Definition ✅ Touched. A tenant-level administrator with the proper role management privileges executes the change. No emergency access accounts are modified. Layer 2 – Scope Boundaries ❌ Not affected. Role is assigned tenant-wide; no Administrative Unit (AU) scoping is used. Layer 3 – Test Identity Validation ✅ Active validation. After confirming removal of GA rights, the janeadmin@contoso.com user signs in and attempts role assignments. This confirms that the PRA role is functioning and that GA authority has been removed. Layer 4 – External Entry Controls ❌ Not affected. This action applies to an internal user; no B2B or guest access is involved. Layer 5 – Privilege Channels ✅ Core focus. The project replaces one high-privilege role (GA) with a narrower privilege channel (PRA), reducing exposure to tenant-wide controls. Layer 6 – Device Trust Enforcement ❌ Not affected. No device trust or compliance requirements are altered. Layer 7 – Continuous Verification ✅ Optional follow-up. Access reviews or sign-in log reviews could be scheduled to track usage of PRA assignments over time.

Outcome: The user janeadmin@contoso.com now holds the Privileged Role Administrator role instead of Global Administrator Tenant privileges are reduced and more aligned with operational needs Audit logs confirm both role removal and reassignment Optional sign-in simulation confirms practical limitations of the new role

Governance Takeaways: Global Administrator should be used sparingly and only when truly necessary PRA provides enough authority to manage most directory-level privileges without overexposing the tenant This project supports a layered, maintainable privilege model and contributes to Zero Trust governance