Is it really best practice to have zero permanent active admin roles (except for break glass)?

Iron Contributor

In Plan a Privileged Identity Management deployment - Azure AD - Microsoft Entra | Microsoft Learn the following is advised:

 

"We recommend you keep zero permanently active assignments for roles other than the recommended two break-glass emergency access accounts, which should have the permanent Global Administrator role."

 

What I don't understand here is what happens with notifications which are sent to admin roles, e.g. PIM weekly digest - do I receive the PIM weekly, when I'm eligible to have the role, or only when I activate it?

 

Same goes for Alert Policies. Who receives them if there is no active admin role?

Kiril_0-1668015901516.png

 

 

Another question is whether I am generally considered an admin, when I'm eligible to have an admin role. For example SSPR (self-service password reset) is always enabled when you have an admin role. Is it also always enable when I'm eligible to have an admin role, or only when it's activated?

3 Replies

@Kiril 

 

The wording seems too strong to have "zero" GAs. I'd interpret this to mean most roles should be managed by PIM whenever possible as a best practice. Only keep the minimum number of permanent Global Admin accounts and review the list regularly.

 

Any Azure role must be active for the user to be in it or to receive notification of alerts assigned to the role, along with things like SSPR, etc. Eligible accounts won't fit the criteria since they aren't actively in the role (although you can assign some notifications to static email addresses instead of dynamically via the role grant). For practical purposes, there must always at least one Break-Glass GA, which you could consider the "permanent" activation.

 

Please like and mark this thread as answered if it's helpful, thanks!

Thank you, Kurt.

I think the Global Admin case is clear, because you should enable the role permanently only for break glass accounts. I am curious to know how full-time admins work with PIM.

For example, if you are a Security Administrator: do you give yourself the role every day for 8 hours, and let it expire in the evening. What about security notifications that you would like to receive during the night? What if the admin accounts don't have inboxes?

@Kiril 

 

Best practice would certainly be for admin accounts to have reachable email, not only for notifications but for MFA and SSPR, etc. If needed, set static email addresses in the alerts to go to a shared mailbox, so they are being received.

 

For "full-time" admins who perform elevated work in the tenant regularly, this is a case where giving a permanent grant makes sense for simplicity. Take steps like enabling Security Defaults or requiring MFA to mitigate risk.

 

Require MFA for administrators with Conditional Access - Azure Active Directory - Microsoft Entra | ...

 

For contractors or "temporary admins" who only need the rights for a shorter duration, this is where PIM shines. Perhaps increase the duration from the default 8 hours if there's justifiable reason for it, like if the project will go on for longer so they don't need to request reauthorization quite so frequently.

 

Configure Azure AD role settings in PIM - Azure AD - Microsoft Entra | Microsoft Learn

 

Please like and mark this thread as answered if it's helpful, thanks!