MSRC Case: When Temporary Global Admin Rights Don’t Expire in Microsoft Entra PIM
A confirmed and fixed Microsoft Entra PIM flaw reported to MSRC - learn what happened, how it was fixed, and what admins should check.
Status: Fixed by Microsoft (MSRC). This post documents the behavior, impact, and how to detect/validate in your own tenant. Disclosure note: This post was reviewed by Microsoft MSRC prior to publication.
🚨 Summary
Microsoft Entra Privileged Identity Management (PIM) is meant to enforce time‑bound eligibility for privileged roles (like Global Administrator). In this case eligible Global Administrator assignments did not expire as expected. Instead of removing eligibility at the end date, PIM failed with CannotDeleteLastAdminAssignment, leaving the user able to elevate to Global Administrator after the expiry.
Good news: After this was reported to the MSRC, Microsoft confirmed the behavior and has made changes and updated documentation. Details below, plus a KQL query to check your tenant.
🧪 Reproduction (original report)
Tenant has one or more permanent Global Administrators assignments (e.g., break-glass). Because the cleanup logic evaluates eligible assignments, such permanently active GAs were not counted in that check.
A supplier, contractor, or internal user is given a temporary eligible Global Administrator assignment via PIM (e.g., 1 day). This scenario is rare and typically only relevant when this is the only eligible assignment, especially if approval has been disabled (which is strongly discouraged).
After the end date, PIM attempts to remove the eligible assignment.
PIM fails with the error:
1
CannotDeleteLastAdminAssignment
The eligible GA assignment remains, so the user can keep activating Global Administrator indefinitely despite the expiry.
I reproduced this scenario in a test tenant with a dedicated test user.
🔑 Result: My favorite test user who should have had time-limited access effectively retained persistent Global Admin privileges, even though an unaware administrator assumed the access had expired.
⚠️ Impact & Risk (from initial MSRC submission)
My initial assessment:
CVSS Category: Privilege Escalation
Impact: High (Global Administrator persistence)
Exploitability: Medium (requires an expired PIM assignment)
MSRC assessment:
Severity: Important
Security Impact: Elevation of Privilege
It’s reassuring to see that my conclusion (privilege persistence leading to elevation of privilege) aligned closely with Microsoft’s own classification.
Risk characteristics
Vendor/contractor GA eligibility persists after project end.
The Eligible Assignments overview in PIM show the assignment date as expired, but the user can still activate after this expiration date.
Audit clarity is limited. The CannotDeleteLastAdminAssignment message is not much known to admins, and without active monitoring the persistence can be missed.
🔎 Detecting the Issue (KQL)
Use the following Log Analytics / Kusto query to look for failed cleanup attempts where PIM tried to remove an eligible member from a role but failed with CannotDeleteLastAdminAssignment.
AuditLogs
| where TimeGenerated >= ago(30d)
| where OperationName == "Remove eligible member from role in PIM completed (timebound)"
| where Result == "failure"
| where ResultReason contains "CannotDeleteLastAdminAssignment"
| extend
TargetUser = tostring(TargetResources[2].userPrincipalName),
RoleName = tostring(TargetResources[0].displayName)
| project
TimeGenerated,
OperationName,
TargetUser,
RoleName,
ResultReason,
CorrelationId
| sort by TimeGenerated desc
Tip: Adjust the
ago(30d)window and optionally add| where RoleName == "Global Administrator"to narrow results. Be aware that to go futher back in time an active Log Analytic Workspace (LAW) with longer retention periode is required to query for the data.
🧩 Root Cause (as originally observed)
PIM’s cleanup logic validated only eligible assignments when removing the eligible GA assignment. If the only other GA accounts were permanent assigned assignments, the cleanup attempted to protect the tenant from lockout and failed the removal with CannotDeleteLastAdminAssignment
✅ Microsoft’s Response & Current Behavior
MSRC confirmation: Microsoft confirmed the behavior. Two changes followed (MSRC statements summarized):
June 2025: A platform change ensured there is always at least one eligible Global Administrator to avoid tenant lockout when the last eligible GA would be removed.
Post‑report enhancement: The logic was updated so the last eligible GA may expire if there are other assigned Global Administrators (for example, permanent break‑glass accounts). Only when no assigned GA exists will removal be blocked.
Docs updated: Public docs now emphasize that a permanent Global Administrator should exist for correct cleanup and that approvals are recommended for sensitive role activation.
Case status: MSRC marked the issue fixed and closed the case.
🛠️ Now on to you, the admin!
If you’re managing privileged roles with PIM:
- ✅ Verify Maintain at least one permanent (break‑glass) Global Administrator. Ensure this account is active permanent for GA and monitored.
- 🔎 Monitor audit logs for
CannotDeleteLastAdminAssignmentfailures and review any expired eligible GA assignments that still appear. Giving a peak at the audit logs once in a while does not hurt! - 🔐 Use approval workflows Require approval to activate GA and other highly privileged roles in PIM. (With this in place, this scenario would not been possible)
- 📅 Periodically view expired assignments that time‑bound assignments are actually removed once they expire.
For more information visit the Microsoft Learn pages:
- Assign Microsoft Entra roles in Privileged Identity Management
- Require approval to activate
- Manage emergency access accounts in Microsoft Entra ID
- Start using Privileged Identity Management
🙏 Final Thoughts
Microsoft’s engineering team confirmed the issue, rolled out a fix, and updated documentation to help admins avoid surprises in the future.
This will also be listed on Microsoft’s Online Services Acknowledgement Portal for this contribution, which is always a nice recognition.
I have learned a ton along the road on this first MSRC report. Thus far I had a great experience submitting these findings in the MSRC portal. Good and clear communication and in my opinion, fast response. Thank you to the MSRC team for the smooth operation (Operator🤖)!