“Microsoft 365 Directory Role Audit”
Autotask PSA Datto RMM Datto Backup Microsoft 365 SmileBack HubSpot IT Glue All reports
AI-GENERATED REPORT
You searched for:
How are M365 directory roles distributed across tenants and users?

Microsoft 365 Directory Role Audit

Distribution and risk analysis of privileged admin roles across managed tenants.

Built from: M365 Lighthouse
How this report was made
1
Autotask PSA
Multiple data sources combined
2
Proxuma Power BI
Pre-built MSP semantic model, 50+ measures
3
AI via MCP
Claude or ChatGPT writes DAX queries, executes them, formats output
4
This Report
KPIs, breakdowns, trends, recommendations
Ready in < 15 min
Want to run this report against your own Autotask PSA data?
Get Proxuma Power BI

Microsoft 365 Directory Role Audit

Distribution and risk analysis of privileged admin roles across managed tenants.

The data covers the full scope of Autotask PSA records relevant to this analysis, broken down by the key dimensions your team needs for day-to-day decisions and client reporting.

Who should use this: Security teams, compliance officers, and MSP owners managing risk

How often: Weekly for security posture, monthly for compliance reporting, on-demand for audits

Time saved
Security audits across multiple tenants require logging into each one separately. This report aggregates it.
Risk visibility
Delegated privilege gaps, guest user sprawl, and compliance issues surfaced in one view.
Audit readiness
Pre-formatted compliance data for client audits and regulatory requirements.
Report categorySecurity & Compliance
Data sourceAutotask PSA · Datto RMM · Datto Backup · Microsoft 365 · SmileBack · HubSpot · IT Glue
RefreshReal-time via Power BI
Generation timeUnder 15 minutes
AI requiredClaude, ChatGPT or Copilot
AudienceSecurity teams, compliance officers
Where to find this in Proxuma
Power BI › Security › Microsoft 365 Directory Role Audit
What you can measure in this report
Summary Metrics
Global Admin Analysis by Tenant
Security Admin Trend Over Time
Security Risk Assessment
Finding Detail by Severity
Security Posture Overview
Key Findings
Strategic Recommendations
Frequently Asked Questions
Global Admins
Avg per Tenant
Overprovisioned
AI-Generated Power BI Report
Microsoft 365 Directory Role Audit

Distribution and risk analysis of privileged admin roles across managed tenants.

Demo Report: This report uses synthetic data to demonstrate AI-generated insights from Proxuma Power BI. The structure, DAX queries, and analysis reflect real MSP data patterns.
1.0 Summary Metrics
Global Admins
872
218 tenants x 4 standard roles
Avg per Tenant
4
Uniform: Company Admin, Helpdesk, Service Support, User Account
Overprovisioned
27+ unique
All members hold all 4 roles simultaneously
PIM Enabled
38.7%
55 tenants using PIM
View DAX Query - Summary Metrics 
EVALUATE SUMMARIZECOLUMNS('BI_MicrosoftPartnerCenter_Directory_Roles'[name], "RoleCount", COUNTROWS('BI_MicrosoftPartnerCenter_Directory_Roles'))
2.0 Global Admin Analysis by Tenant

Breakdown of directory roles focusing on global admin across tenants.

Contoso Ltd
240
Fabrikam Inc
210
Woodgrove Bank
180
Tailspin Toys
150
Adventure Works
120
Litware Inc
90
TenantGlobal AdminExchange AdminSecurity AdminStatusLast Updated
Contoso Ltd94.2%88.1%91.3%Good2 hours ago
Fabrikam Inc91.8%85.4%87.6%Good3 hours ago
Woodgrove Bank87.3%79.2%82.1%Warning1 hour ago
Tailspin Toys82.1%74.8%78.4%Warning4 hours ago
Adventure Works78.6%71.3%74.9%Critical2 hours ago
Litware Inc96.1%92.7%94.5%Good1 hour ago

Adventure Works shows the lowest global admin coverage at 78.6%, falling below the recommended 80% threshold. Combined with Tailspin Toys at 82.1%, these two tenants represent the most significant directory roles gaps in the portfolio and should be prioritized for remediation.

View DAX Query - Global Admin Analysis by Tenant 
EVALUATE
SUMMARIZECOLUMNS(
    BI_Microsoft_DirectoryRoles[tenant_name],
    "Global Admin", CALCULATE(COUNTROWS(BI_Microsoft_DirectoryRoles), BI_Microsoft_DirectoryRoles[policy_type] = "Global Admin"),
    "Exchange Admin", CALCULATE(COUNTROWS(BI_Microsoft_DirectoryRoles), BI_Microsoft_DirectoryRoles[policy_type] = "Exchange Admin")
)
ORDER BY [Global Admin] DESC
3.0 Security Admin Trend Over Time

How security admin has evolved over the past 90 days.

January
82.4%
February
85.1%
March
87.3%
MonthTotal TenantsGlobal Admin CoverageExchange Admin CoverageSecurity Admin Coverage
January 202613884.1%69.6%60.9%
February 202614085.7%71.4%62.8%
March 202614287.3%72.5%64.1%

Security Admin coverage improved from 60.9% to 64.1% over three months, a positive but modest improvement. At this rate it will take another 8 months to reach the 80% target. To accelerate, consider implementing security admin policies as part of the standard onboarding template for new tenants.

View DAX Query - Security Admin Trend Over Time 
EVALUATE
SUMMARIZECOLUMNS(
    BI_Microsoft_DirectoryRoles[snapshot_month],
    "TenantCount", DISTINCTCOUNT(BI_Microsoft_DirectoryRoles[tenant_id]),
    "Global AdminCoverage", DIVIDE(CALCULATE(COUNTROWS(BI_Microsoft_DirectoryRoles), BI_Microsoft_DirectoryRoles[global_admin_enabled] = TRUE()), COUNTROWS(BI_Microsoft_DirectoryRoles))
)
ORDER BY BI_Microsoft_DirectoryRoles[snapshot_month] ASC
4.0
Security Risk Assessment
Evaluating tenant risk by compliance gaps and vulnerability severity.
HIGH RISK
4 entities
Performance significantly below portfolio average. Immediate action required.
MODERATE RISK
7 entities
Performance below target but stable. Review within 2 weeks.
LOW RISK
12 entities
Performance above target level. Standard monitoring sufficient.
NOT ASSESSED
3 entities
Insufficient data available for risk assessment.

The risk matrix shows that most entities fall in the low-risk category, but the high-risk group demands immediate attention. The moderate-risk group shows a declining trend that could escalate without intervention.

5.0
Finding Detail by Severity
Granular breakdown of security findings.
CategoryItemsPrimarySecondaryStatus
Category A23494.2%14Healthy
Category B18789.3%20Review
Category C15691.7%13Healthy
Category D9886.7%13Review
Category E6782.1%12At Risk
Category F4595.6%2Healthy

The detailed breakdown shows clear performance differences. The bottom two categories require targeted action to improve overall portfolio health.

6.0
Security Posture Overview
Portfolio-wide security compliance indicators.
92.4% health score
Portfolio Health
87.3% of 100%
Coverage
23 action items
Open Items

Overall portfolio health is strong at 92.4%, but the 87.3% coverage rate suggests that roughly 1 in 8 entities is not fully monitored. The 23 open action items represent a manageable backlog if addressed within 2 weeks.

7.0
Key Findings
!

Performance Gap Requires Attention

The gap between top and bottom performers is wider than expected. The bottom 20% scores more than 25 percentage points below the portfolio average, indicating structural issues that require targeted intervention.

!

Declining Trend in Moderate Risk Group

Entities in the moderate risk category show a declining trend over the past quarter. Without intervention, 3-4 of these entities may shift to the high-risk category within 60 days.

Top Performers Remain Consistent

The top 30% of the portfolio maintains stable performance above target, indicating current best practices are effective and can serve as a model for the rest.

8.0
Strategic Recommendations

1. Conduct a targeted review of all high-risk entities within 2 weeks. Document the root cause for each entity and create a remediation plan with clear deadlines and accountable owners.

2. Implement automated monitoring for the moderate-risk group. Set thresholds that trigger an alert when performance drops 5 percentage points below target, enabling early intervention before entities slip into high risk.

3. Schedule this report monthly as part of the QBR process. Use the trend data to verify that improvement initiatives are delivering measurable results across multiple quarters.

9.0
Frequently Asked Questions
What is Global Admin?

Global Admin is a security control in Microsoft 365 that helps protect tenant resources. It should be enabled for all users in production tenants.

How often is directory roles data refreshed?

Directory roles data syncs daily from the Microsoft Graph API. Changes typically appear within 24 hours.

What is a good global admin target?

Best practice is 100% coverage for global admin. At minimum, 95% coverage should be the target for all managed tenants.

How do we remediate directory roles gaps?

Start with the lowest-coverage tenants and apply baseline directory roles policies. Use security defaults as a starting point for tenants without conditional access.

Proxuma Power BI · AI-Generated Power BI Report · proxuma.io/powerbi Generated in < 15 minutes via MCP · April 2026
Related Reports
Security
M365 Lighthouse Delegated Privilege Compliance
Analysis and reporting on delegated privilege compliance - gdap relationships for managed service providers.
Read report Security
Microsoft 365 Audit Log Monitor
Detection and analysis of unauthorized configuration changes across your managed tenant estate.
Read report Security
Security Risk Score per Client: Composite Scoring from RMM Alerts, Device Health, and SLA Data
Which clients carry the most security risk, what is driving that risk, and where you should focus remediation first. Gen
Read report Security
Ai Privacy Compliance Guide
Read report Security
Security Overview
Power BI Analysis Report — Generated March 08, 2026
Read report Backup
N-able Cove Cove vs Datto Backup Comparison
Analysis and reporting on cove vs datto backup comparison for managed service providers.
Read report

Generate this report from your own data

Connect Proxuma Power BI to your PSA, RMM, and M365 environment, use an MCP-compatible AI to ask questions, and generate custom reports - in minutes, not days.

See more reports Get started