Forum Discussion

VasilMichev's avatar
VasilMichev
MVP
Jan 05, 2025

All valid concerns/points. The JIT/JEA principles (should) apply regardless of whether you are using a single or multiple accounts per admin, so in that respect solution such as PIM still adds benefits. But as you correctly pointed out in the second bullet, nothing in this scenario makes it inherently more secure than having two separate accounts that conform with JIT/JEA principles. In fact, having separate accounts allows you to target the "admin" one with more secure policies/settings, which usually have negative impact on productivity scenarios and might be avoided otherwise. Not to mention the increased attack surface for accounts that have services such as Email/Teams enabled.

And yes, there is the marketing story here, apart from the generic security guidance. And some of it is blurred, as one can argue that not all admin roles should be treated the same. Guidance usually focuses on GAs only, for example, the "secure admin accounts" article only mentions separate accounts in the context of a Global admin, even though there are some other roles with have comparable permissions. On the other hand, even "read only" admin account can cause a lot of trouble if compromised, so we can also make the argument that each and every role should be protected, with separate account, MFA and PIM, etc... and people start complaining.

At the end of the day, those are all generic recommendations, which might or might not be the best advice for your specific organization. I'd definitely recommend going for PIM if you can afford it, regardless of whether you plan using single or multiple accounts per admin, as it adds additional controls and flexibility. Then again, you might not need things like additional approvals before activating a role, for example, so take any such advice with a grain of salt.

On the group front, this is done mostly for convenience. Microsoft has made sure that the scenario is secure, i.e. only role-assignable groups can be used, you cannot nest groups, etc. Still, it does open the gate for potential undesired elevation, however unlikely it is to happen. Plus, you should always aim to minimize the number of admins to begin with, so having to manage direct assignments to 2-3 GAs instead of a single group hardly makes a difference... but your mileage will vary. Oh, and of course it's a paid feature, which might answer why you get recommendations like that :D

Resources