SOLVED

no full time global admin priveleges

Brass Contributor

Is it commonplace, or even a formal Microsoft recommendation ,to not have any of your IT support admin accounts as permanent members of the global admins role in AAD? And rather to delegate them more fine-grained access permissions based on their requirements?

Or practically speaking is there a need for global admin permissions in resolving issues etc in AAD/365 on say a daily basis? I was just analysing the role assignments report in AAD and the only accounts permanently in global admins were break glass accounts, and other admins are given different privileges roles but do not permanently reside in global admins which I hadn’t seen before – so I wondered if this is official guidance? I know Microsoft had similar advice about trying to avoid giving people permanent domain admin rights if at all possible so I presume this is similar thinking. I just wanted to see how practical it is to follow. 

1 Reply
best response confirmed by CB1 (Brass Contributor)
Solution

Hi @CB1,

regarding to Microsoft's formal recommendations, it is advised not to have IT support admin accounts permanently assigned to the global admins role in Azure Active Directory (AAD).

This aligns with the principle of least privilege, which emphasizes granting administrators only the necessary permissions for their tasks. Microsoft suggests limiting the Global Administrator role to fewer than five individuals and creating dedicated user accounts with admin roles in AAD. These privileged accounts should be used exclusively for administrative tasks.

Microsoft also advocates the use of Privileged Identity Management (PIM) to grant just-in-time access to administrators. PIM allows users to be eligible for an AAD role and activate it for a limited time as needed. This ensures that privileged access is automatically revoked when the specified timeframe expires.

While this approach may require occasional switching between everyday user and administrator accounts, the benefits, such as reducing the attack surface and limiting potential risks in case of a security compromise, outweigh the inconvenience.

Best practices for Microsoft Entra roles - Microsoft Entra ID | Microsoft Learn
Step 1. Determine your cloud identity model - Microsoft 365 Enterprise | Microsoft Learn
Step 2. Protect your Microsoft 365 privileged accounts - Microsoft 365 Enterprise | Microsoft Learn
Secure access practices for administrators in Microsoft Entra ID - Microsoft Entra ID | Microsoft Le...

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

1 best response

Accepted Solutions
best response confirmed by CB1 (Brass Contributor)
Solution

Hi @CB1,

regarding to Microsoft's formal recommendations, it is advised not to have IT support admin accounts permanently assigned to the global admins role in Azure Active Directory (AAD).

This aligns with the principle of least privilege, which emphasizes granting administrators only the necessary permissions for their tasks. Microsoft suggests limiting the Global Administrator role to fewer than five individuals and creating dedicated user accounts with admin roles in AAD. These privileged accounts should be used exclusively for administrative tasks.

Microsoft also advocates the use of Privileged Identity Management (PIM) to grant just-in-time access to administrators. PIM allows users to be eligible for an AAD role and activate it for a limited time as needed. This ensures that privileged access is automatically revoked when the specified timeframe expires.

While this approach may require occasional switching between everyday user and administrator accounts, the benefits, such as reducing the attack surface and limiting potential risks in case of a security compromise, outweigh the inconvenience.

Best practices for Microsoft Entra roles - Microsoft Entra ID | Microsoft Learn
Step 1. Determine your cloud identity model - Microsoft 365 Enterprise | Microsoft Learn
Step 2. Protect your Microsoft 365 privileged accounts - Microsoft 365 Enterprise | Microsoft Learn
Secure access practices for administrators in Microsoft Entra ID - Microsoft Entra ID | Microsoft Le...

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

View solution in original post