Forum Discussion

Kiril's avatar
Kiril
Steel Contributor
Nov 09, 2022

Is it really best practice to have zero permanent active admin roles (except for break glass)?

In Plan a Privileged Identity Management deployment - Azure AD - Microsoft Entra | Microsoft Learn the following is advised:

 

"We recommend you keep zero permanently active assignments for roles other than the recommended two break-glass emergency access accounts, which should have the permanent Global Administrator role."

 

What I don't understand here is what happens with notifications which are sent to admin roles, e.g. PIM weekly digest - do I receive the PIM weekly, when I'm eligible to have the role, or only when I activate it?

 

Same goes for Alert Policies. Who receives them if there is no active admin role?

 

 

Another question is whether I am generally considered an admin, when I'm eligible to have an admin role. For example SSPR (self-service password reset) is always enabled when you have an admin role. Is it also always enable when I'm eligible to have an admin role, or only when it's activated?

  • KurtBMayer's avatar
    KurtBMayer
    Steel Contributor

    Kiril 

     

    The wording seems too strong to have "zero" GAs. I'd interpret this to mean most roles should be managed by PIM whenever possible as a best practice. Only keep the minimum number of permanent Global Admin accounts and review the list regularly.

     

    Any Azure role must be active for the user to be in it or to receive notification of alerts assigned to the role, along with things like SSPR, etc. Eligible accounts won't fit the criteria since they aren't actively in the role (although you can assign some notifications to static email addresses instead of dynamically via the role grant). For practical purposes, there must always at least one Break-Glass GA, which you could consider the "permanent" activation.

     

    Please like and mark this thread as answered if it's helpful, thanks!

    • Kiril's avatar
      Kiril
      Steel Contributor
      Thank you, Kurt.

      I think the Global Admin case is clear, because you should enable the role permanently only for break glass accounts. I am curious to know how full-time admins work with PIM.

      For example, if you are a Security Administrator: do you give yourself the role every day for 8 hours, and let it expire in the evening. What about security notifications that you would like to receive during the night? What if the admin accounts don't have inboxes?

Resources