Users assigned highly privileged roles shall not have permanent permissions

Description

Do not assign users to highly privileged roles using permanent active role assignments. Instead, assign users to eligible role assignments in a PAM/PIM system and provide an expiration period for active assignments requiring privileged users to reactivate their highly privileged roles upon expiration..

Policy

Permanent active role assignments shall not be allowed for highly privileged roles. Active assignments shall have an expiration period.
The only exception to the policy is the break-glass Global Administrator account.

Licensing Considerations

Azure AD P2 if using Azure AD PIM. This can be purchased standalone or is part of the following bundles:

EMS+E5
Microsoft 365 E5

Set Up Instructions

Deploy PIM: Plan a Privileged Identity Management deployment - Azure AD - Microsoft Entra | Microsoft Learn

End-User Impact

Level: Low

Impact is limited to users who are eligible to privileged roles which should be a small amount in the organization. These users will have to enter the Azure AD Admin center to activate their roles when needed.

Tips

The emergency break-glass account should be included in the permanent assignments for the Global Administrator role.

PowerShell Scripts

PowerShell for PIM: PowerShell for Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn

Videos

PreviousThe number of users with highly privileged roles shall be limited NextActivation of privileged roles should be monitored and require approval

Last updated 1 year ago