I'm trying to remove most users from the Azure AD Global Admin role in favor of dedicated admin accounts and/or use something like PIM.
My question is; If a user granted permissions for an Enterprise App, created a security token for app registrations, or some other process that required the admin privilege they had at that time, will removing them as a global admin and leaving them a normal user break the things they set up in the past?
My initial guess is no since PIM makes it so you don't always have the admin permissions. But it could be it doesn't break because you always have the role, just in an eligible state when you aren't using it, instead of just not having it at all.
This all came up in part because I'm working on moving to Microsoft Endpoint Manager and trying to make it so no one logs in as local admins with their daily use accounts. On Azure AD joined devices Global Admins are local admins and I can't seem to change that. So I feel like this is a good push to be better about how we use the Global Admin role. Being on a small team of 3 made it easy to just say "use global admin" since we all have to do a bit of everything.
