How Can We Reassign Global Admins to Lower Privileged Roles?

By
Dan
-
0
21
Asked By TechWiz2021 On

We have a lot of global admins in our organization, and it seems like they're just using it as a catch-all role because they're not sure what other permissions they need for their daily tasks. Many of them are acting as global admins all the time, although they really only require those privileges for a few hours each month. We're considering using Privileged Identity Management (PIM) for global admins, but it won't help if they activate that role constantly because they lack other role assignments that would allow them to do the majority of their work. Is there any Azure activity analyzer that can track what tasks specific admins are actually performing? It would be great to know how to assign them new roles that could replace their global admin access without disrupting their workflow.

5 Answers

Answered By NerdySysAdmin On

Definitely check out PIM and also look into role-based access control (RBAC) design along with audit logs. There are plenty of tools available like CyberArk that can help you analyze permissions and determine what roles are most effective.

Answered By RoleMapper99 On

You might want to consider using PIM with an approval system and set it to expire after an hour. This way, at least they can elevate their privileges as needed. But the real challenge is figuring out what other roles to assign them. If they have to keep reactivating the global admin role and getting approval each hour, it could really slow them down.

Answered By SysAdminSage On

Using PIM with justification and approval makes sense, and I recommend setting a timer for about an hour. It might help to define what they actually do and then assign roles accordingly, including custom roles as needed. Also, Entra has audit logs, so it could help in reviewing the accounts.

Answered By RoleRanger On

Consider starting with a couple of hours max on the PIM. At my job, we have an 8-hour limit, but typically people only activate their roles a few times a week. It's crucial, though, to ensure they have other roles that can support their daily tasks without needing global admin rights. Mapping their activities accurately will really help in deciding on better role assignments.

Answered By AdminGuru100 On

Using PIM in combination with groups that have multiple lesser roles can be really helpful for admins who work in various platforms throughout the day. Just make sure to track their activities so you know which roles are necessary.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.