Blog Post

Core Infrastructure and Security Blog

5 MIN READ

Protect Tier 1. Sleep well at Night.

DagmarHeidecker

Microsoft

May 29, 2025

As you obviously enjoyed our article about Protecting Tier 0 the modern way (thanks for all the comments and feedback!), it is time for the next step: Protecting Tier 1. Different Tier, different challenges.

In case you have not yet protected Tier 0, consider reviewing our article about protecting Tier 0 the modern way. Tier 1 is more difficult to outline as there are typically different security ...

Updated May 30, 2025

Version 3.0

active direcory

Active Directory (AD)

DagmarHeidecker

JIT

Just in Time (JIT)

Tiered Administration

DagmarHeidecker

Microsoft

Joined January 02, 2019

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

Bastien Perez

Brass Contributor

Sep 13, 2025

If a T2 admin (compromised or not) created the T1 group before the JIT solution was in place, there could be a case where they can still add or remove users at will, leading to privilege escalation. Even if TTL members are removed, non-TTL users they added would persist.

There should also be safeguards like resetting ACLs and verifying/removing the group owner and the “managed by” field to prevent this scenario.

I haven’t read all the code yet, so maybe this case is already handled or impossible, but it might be worth mentioning it.