Forum Discussion
Is it really best practice to have zero permanent active admin roles (except for break glass)?
I think the Global Admin case is clear, because you should enable the role permanently only for break glass accounts. I am curious to know how full-time admins work with PIM.
For example, if you are a Security Administrator: do you give yourself the role every day for 8 hours, and let it expire in the evening. What about security notifications that you would like to receive during the night? What if the admin accounts don't have inboxes?
Best practice would certainly be for admin accounts to have reachable email, not only for notifications but for MFA and SSPR, etc. If needed, set static email addresses in the alerts to go to a shared mailbox, so they are being received.
For "full-time" admins who perform elevated work in the tenant regularly, this is a case where giving a permanent grant makes sense for simplicity. Take steps like enabling Security Defaults or requiring MFA to mitigate risk.
For contractors or "temporary admins" who only need the rights for a shorter duration, this is where PIM shines. Perhaps increase the duration from the default 8 hours if there's justifiable reason for it, like if the project will go on for longer so they don't need to request reauthorization quite so frequently.
Configure Azure AD role settings in PIM - Azure AD - Microsoft Entra | Microsoft Learn
Please like and mark this thread as answered if it's helpful, thanks!