Global Administrator role in Cayosoft Guardian
This article explains what the Global Administrator role is in Cayosoft Guardian, how users can receive Global Admin rights, how the role fits into role-based access control, and how Global Admin activity can be monitored.
The Global Administrator role in Cayosoft Guardian provides full access to the product and should be managed as a privileged role. Cayosoft Guardian supports several ways to assign Global Admin rights, including installation, Integrated Windows Authentication, and explicit RBAC delegation.
The Microsoft Entra Global Administrator role is separate from the Cayosoft Guardian Global Admin role. In Azure subscription setup workflows, Cayosoft Guardian currently requires a Microsoft Entra Global Administrator account during the wizard, but the credential is used only for setup and is not retained. After setup, Cayosoft Guardian runs steady-state operations under its dedicated Entra application account.
Overview
The Global Administrator, or Global Admin, is the highest-privileged role in Cayosoft Guardian. A user assigned this role has full access to every feature and setting in the product, including system configuration, security, role delegation, Forest Recovery, Threat Detection, Change Monitoring, and connected directory data.
Because of this scope, Global Admins are central to both day-to-day operation of Cayosoft Guardian and the broader security posture of Active Directory and Microsoft Entra ID environments.
How a user becomes a Global Admin
A user can receive Global Admin rights in Cayosoft Guardian in several supported ways.
During installation
When Cayosoft Guardian is installed, the installing user is automatically assigned the Global Administrator role in Cayosoft Guardian. This account can then sign in to the web portal and continue product configuration.
By default, the web portal is available at the following address: https://<servername>/guardian/admin#/
Through Integrated Windows Authentication
Users who sign in through Integrated Windows Authentication, or IWA, do not automatically receive Global Admin permissions by default.
To grant Global Admin permissions through IWA, both of the following conditions must be met:
- The user must be a member of the Active Directory Domain Administrators group.
- The Grant Global Admin permissions in Cayosoft Guardian to local Windows administrators option must be enabled on the Authentication Settings page.
NOTE:
Being a local Windows administrator on a client machine is not sufficient. The user must be a Domain Administrator. This setting applies only to IWA logins and does not affect Password or Microsoft 365 authentication.
Through role delegation
Global Admin permissions can also be granted explicitly through Cayosoft Guardian role-based access control, or RBAC.
For users who sign in through Microsoft 365 authentication, Global Administrator permissions must be configured separately in Settings > Delegation. The IWA Global Admin option does not apply to Microsoft 365 users.
Authentication methods for Global Admins
Cayosoft Guardian supports the following authentication methods:
- Password authentication, which uses credentials managed inside Cayosoft Guardian.
- Microsoft 365 authentication, which uses Microsoft Entra ID and can integrate with existing identity and access management policies.
- Integrated Windows authentication, which enables seamless sign-in for users on domain-joined machines.
- Ping Identity authentication, which enables integration with Ping Identity-based single sign-on environments for organizations that use Ping as their identity provider.
The Authentication Settings page is available only to Global Administrators. Global Admins can enable or disable authentication methods, configure sign-in disclaimers, and customize sign-in behavior.
IMPORTANT: At least one authentication method must remain enabled at all times to prevent administrator lockout.
How the Global Admin role fits into RBAC
Cayosoft Guardian uses a role-based access control model that includes several built-in roles. The Global Administrator role provides full access to every feature area. Other roles provide scoped access for specific administrative or monitoring tasks.
| Role | Access level |
|---|---|
| Global Administrator | Full access to all Cayosoft Guardian features and settings. |
| Global Reader | Read-only access to all areas, including configuration and monitoring data. |
| Threat Alerts Reader | Can review detected threats and alert details, but cannot modify or resolve them. |
| Threat Detection Operator | Can manage threat detection jobs, configure notifications, and resolve threats. |
| Change History Reader | Can review change history across connected systems. |
| Change Monitoring Operator | Can manage change monitoring, review changes, and manage alerts. |
The Global Administrator role is the only built-in role with full access to critical areas such as Forest Recovery, Microsoft 365, Active Directory, Configuration, Settings, and Jobs. For this reason, Global Admin assignments should be treated as privileged operations.
Managing role delegation
Global Admins can manage role assignments on the Settings > Delegation page.
To delegate a role, the following requirements must be met:
- You must be signed in as a Global Administrator.
- The user or group must already exist in Windows, Active Directory, or the connected identity source.
To create a role assignment, click Add, and then specify the following information:
- The principal name.
- The source, such as Windows or Active Directory.
- The principal type, such as User or Group.
- One or more roles.
- An optional description.
Existing role assignments can be edited, deleted, or exported for auditing. Changes take effect immediately after they are saved.
Cayosoft Guardian Global Admin vs. Microsoft Entra Global Administrator
Do not confuse the Global Administrator role in Cayosoft Guardian with the Global Administrator role in Microsoft Entra ID.
The Cayosoft Guardian Global Admin role controls access to the Cayosoft Guardian product. The Microsoft Entra Global Administrator role controls administrative permissions in Microsoft Entra ID.
Microsoft Entra Global Administrator requirement during Azure subscription setup
When adding an Azure subscription in Cayosoft Guardian, the Add Azure Subscription wizard currently requires a Microsoft Entra account that has the Global Administrator role. This requirement is enforced by the product during the wizard.
The Microsoft Entra Global Administrator credential is used only during the setup wizard and is not retained by Cayosoft Guardian. During setup, Cayosoft Guardian creates its own dedicated service principal and certificate. After setup is complete, steady-state operations run under that service principal, not under the Global Administrator user account.
NOTE:
The Global Administrator requirement applies to the Azure subscription setup workflow. It does not mean that Cayosoft Guardian continues to operate as the Global Administrator user after the wizard is completed.
Least-privilege roles for connection accounts
For connection accounts that back up, audit, and restore Microsoft Entra ID, Exchange Online, and Microsoft Teams, Cayosoft recommends using an account with sufficient Microsoft Entra permissions. However, to follow the least-privilege model, organizations can combine lower-privilege Microsoft Entra roles instead of using a Microsoft Entra Global Administrator account where supported.
Depending on the required operations, these roles may include:
- Directory Readers, for read-only auditing and reporting.
- Privileged Authentication Administrator, for restoring authentication-related attributes.
- User Administrator, for restoring user objects.
- Groups Administrator, for restoring groups.
Monitoring Global Admin activity
Because Global Admin access is highly privileged, Cayosoft Guardian includes built-in alerting rules and threat detections that help monitor changes related to this role.
The Entra ID Global Administrator role membership changed alerting rule raises an alert when members are added to the Global Administrator or Company Administrator roles in a Microsoft Entra tenant.
The Entra ID Global Administrator elevated access to Azure Resources alerting rule raises an alert when a Global Administrator uses the elevation feature to gain User Access Administrator rights at the Azure root scope, /. By default, this elevation can grant access to all Azure subscriptions and management groups in the directory.
The AD Administrators Group membership changed alerting rule provides similar monitoring for on-premises Active Directory groups, including:
- Administrators
- Backup Operators
- Server OperatorsADSyncAdmins
- DnsAdmins
- Domain Admins
- Enterprise Admins
- Schema Admins
In addition to alerting rules, Cayosoft Guardian includes a dedicated risk-assessment threat plugin:
CTD-000023. Microsoft Entra tenant with unsecure delegation of Global Admin role.
The plugin participates in Threat Detection scans and helps identify tenants where Global Admin role assignments do not follow secure delegation best practices.
For most organizations, the recommended approach is to keep Global Admin assignments limited, use scoped roles for routine access, and rely on built-in alerts and threat detections to monitor unauthorized or risky changes.
Comments
0 comments
Please sign in to leave a comment.