Hey everyone! I'm setting up a test environment for PIM (Privileged Identity Management) and I've got a quick question about admin accounts. My IT team consists of 6 members, and we all have separate cloud admin accounts for managing tasks around Entra. I've set up PIM for certain roles, but these accounts aren't licensed, meaning we can't do anything unless we activate the PIM role.
I'm aiming for a least privilege approach when it comes to permissions, which raises my question: should I create separate admin accounts for tasks like user creation and password resets, or can I just use our standard daily accounts? One problem I've encountered is with the approval flow; since our admin accounts don't have mailboxes, the approval emails don't get sent anywhere. Any advice on how to optimize this setup would be greatly appreciated! Thanks!
1 Answer
From what I've seen, using separate accounts is definitely the way to go. It allows you to better manage permissions and is more straightforward for auditing purposes, helping to distinguish actions taken by regular users from admins. Just keep in mind that if an attacker gets hold of your token, they could potentially activate the PIM role and gain high-level permissions. So, separate accounts can really reduce that risk.
Thanks for this, I think I'll stick with separate accounts too. It makes sense to minimize the risk of lateral movement when accounts get compromised. I'll also check out the suggestions about approval email routing!