Forum Discussion
no full time global admin priveleges
Hi CRIB111,
regarding to Microsoft's formal recommendations, it is advised not to have IT support admin accounts permanently assigned to the global admins role in Azure Active Directory (AAD).
This aligns with the principle of least privilege, which emphasizes granting administrators only the necessary permissions for their tasks. Microsoft suggests limiting the Global Administrator role to fewer than five individuals and creating dedicated user accounts with admin roles in AAD. These privileged accounts should be used exclusively for administrative tasks.Microsoft also advocates the use of Privileged Identity Management (PIM) to grant just-in-time access to administrators. PIM allows users to be eligible for an AAD role and activate it for a limited time as needed. This ensures that privileged access is automatically revoked when the specified timeframe expires.
While this approach may require occasional switching between everyday user and administrator accounts, the benefits, such as reducing the attack surface and limiting potential risks in case of a security compromise, outweigh the inconvenience.
Best practices for Microsoft Entra roles - Microsoft Entra ID | Microsoft Learn
Step 1. Determine your cloud identity model - Microsoft 365 Enterprise | Microsoft Learn
Step 2. Protect your Microsoft 365 privileged accounts - Microsoft 365 Enterprise | Microsoft Learn
Secure access practices for administrators in Microsoft Entra ID - Microsoft Entra ID | Microsoft LearnPlease click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Hi CRIB111,
regarding to Microsoft's formal recommendations, it is advised not to have IT support admin accounts permanently assigned to the global admins role in Azure Active Directory (AAD).
This aligns with the principle of least privilege, which emphasizes granting administrators only the necessary permissions for their tasks. Microsoft suggests limiting the Global Administrator role to fewer than five individuals and creating dedicated user accounts with admin roles in AAD. These privileged accounts should be used exclusively for administrative tasks.
Microsoft also advocates the use of Privileged Identity Management (PIM) to grant just-in-time access to administrators. PIM allows users to be eligible for an AAD role and activate it for a limited time as needed. This ensures that privileged access is automatically revoked when the specified timeframe expires.
While this approach may require occasional switching between everyday user and administrator accounts, the benefits, such as reducing the attack surface and limiting potential risks in case of a security compromise, outweigh the inconvenience.
Best practices for Microsoft Entra roles - Microsoft Entra ID | Microsoft Learn
Step 1. Determine your cloud identity model - Microsoft 365 Enterprise | Microsoft Learn
Step 2. Protect your Microsoft 365 privileged accounts - Microsoft 365 Enterprise | Microsoft Learn
Secure access practices for administrators in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)