I'm new to my company, and my team just took over identity management. After years of neglect, we've found the system to be quite broken. I have a few questions for the community:
1. In Azure, outside of Global Admins, what do you consider as level 1 roles (which we refer to as L1) that are the most essential?
2. How many identities typically hold level 1 roles? I read that it's advisable to keep Global Admin accounts to a maximum of five, but we're quite far from that right now.
3. What security controls do you apply for people with level 1 roles? We're considering YubiKeys and ensuring that only employees can access these accounts as primary controls.
5 Answers
In my experience, L1 roles shouldn't have Global Admin privileges. Roles like Helpdesk Admin, User Admin, and Group Admin should be enough for common L1 tasks, such as password resets and user management. Global Admins should ideally be your engineers or architects, not entry-level roles. If you can, look into Privileged Identity Management (PIM), which allows for temporary elevation of roles. I recommend creating separate admin accounts to minimize risk—your main account should be regular, and then have an elevated admin account as needed.
Thanks for the advice! Just to clarify, when I say L1, I mean those critical security roles, not service desk staff. It looks like I need to adjust my terminology.
Regarding your definition of key roles, Azure doesn't actually have Global Admins; that’s specific to Entra ID. Any role that can modify settings or access critical data in Azure should be prioritized. The most critical roles include Owner, Contributor, and User Access Admin. As for how many identities should have Level 1 roles, you generally want to limit it to essential staff—ideally, no more than five Global Admins. Think about who truly needs those permissions.
Absolutely—everyday operations generally don't require Global Admin access. It should really be for emergency situations.
Also, ensure you have proper logging to track user activity with these elevated roles. It's crucial for accountability.
An L1 role should definitely be limited to accounts that could potentially cause major issues. This includes Global Admin, VM Administrator, and Billing roles. Try to follow the principle of least privilege. Only give out access that’s truly necessary for someone's job to reduce the risk of accidental damage. Consider tools that allow tracking of sessions for admin access to monitor who’s using the accounts and when.
For break glass accounts, we store credentials securely and monitor their usage through our SIEM system. We keep one YubiKey in a safe at our data center, and others are securely stored at different locations—like one at the CEO’s home and another at my place (since I'm the security officer). Before we switched to passkeys, we used a super secure 64-character password that was split between trusted top personnel.
That's right! Also, be sure to enable MFA for those break glass accounts since it’s now a requirement for accessing admin portals. Here’s a good resource on best practices.