Azure AD Directory Roles

Global Admins

• Can be two Breakglass
• Should be no more than 5 active user accounts
• No Service Principals
• My Guidance is if a user is in Global Admin they should always be in global reader. Then on the rare occasion elevate to global admin.

Breakglass / Emergency Access Account

• Exclude breakglass from every conditional access policy
• Do not register any mfa except possibly fido2
• Change password every 90 days and store in a secure non digital method.
• Should have at least two

Reference: Manage emergency access accounts in Azure AD