Forum Discussion
Is it really best practice to have zero permanent active admin roles (except for break glass)?
The wording seems too strong to have "zero" GAs. I'd interpret this to mean most roles should be managed by PIM whenever possible as a best practice. Only keep the minimum number of permanent Global Admin accounts and review the list regularly.
Any Azure role must be active for the user to be in it or to receive notification of alerts assigned to the role, along with things like SSPR, etc. Eligible accounts won't fit the criteria since they aren't actively in the role (although you can assign some notifications to static email addresses instead of dynamically via the role grant). For practical purposes, there must always at least one Break-Glass GA, which you could consider the "permanent" activation.
Please like and mark this thread as answered if it's helpful, thanks!
- Thank you, Kurt.
I think the Global Admin case is clear, because you should enable the role permanently only for break glass accounts. I am curious to know how full-time admins work with PIM.
For example, if you are a Security Administrator: do you give yourself the role every day for 8 hours, and let it expire in the evening. What about security notifications that you would like to receive during the night? What if the admin accounts don't have inboxes?Best practice would certainly be for admin accounts to have reachable email, not only for notifications but for MFA and SSPR, etc. If needed, set static email addresses in the alerts to go to a shared mailbox, so they are being received.
For "full-time" admins who perform elevated work in the tenant regularly, this is a case where giving a permanent grant makes sense for simplicity. Take steps like enabling Security Defaults or requiring MFA to mitigate risk.
For contractors or "temporary admins" who only need the rights for a shorter duration, this is where PIM shines. Perhaps increase the duration from the default 8 hours if there's justifiable reason for it, like if the project will go on for longer so they don't need to request reauthorization quite so frequently.
Configure Azure AD role settings in PIM - Azure AD - Microsoft Entra | Microsoft Learn
Please like and mark this thread as answered if it's helpful, thanks!
