I've been the security lead for about three weeks now, and one of my main tasks is to audit the privileged roles in our Entra ID. During this audit, I found 23 users who have permanent Global Admin roles, and when I asked the previous admin about these assignments, he couldn't provide any justification for them. Some of these roles were granted years ago without any documentation, and some were emergency access grants that weren't revoked after incidents. There's also a consultant from last year who still has admin access because no one followed up after their project ended.
We have Privileged Identity Management (PIM) set up, but the approval process is malfunctioning. Requests are sent to an old distribution list that includes former employees, and the remaining approvers end up approving everything without context. For instance, one approval happened just 90 seconds after the request was made, late at night.
The technical controls are in place, but the whole process for managing permissions is broken. Now, I need to determine who genuinely needs admin access and who can lose it, but I can't simply revoke everyone's access without knowing how it might impact operations. How can I effectively rebuild our admin governance given these challenges?
5 Answers
In my organization, we limit the approval process for admin roles to just three people: our CISO, the Deputy CISO, and our principal cloud security engineer. Every request must clearly state why access is needed, and we make sure that Global Admin and Owner roles have a strict approval process. It sounds like you may need to start by removing access from anyone who's no longer with the team.
If you’re unsure who really needs admin access, check the resource access logs for the past few months. Ideally, you’d restrict each user to just the privileges they need based on their actual interactions. Also, consider enforcing mandatory MFA across the board and perhaps a password reset to strengthen security.
Make sure you review the audit logs to understand what each user is actually doing. A lot of times, you can create less privileged roles for those who don't need Global Admin access. We had about 40 people in our environment with that level of access, but after some cleanups, it's down to a few critical ones. Informing the infosec team about the changes can help tackle any resistance from change approval boards.
To tackle this, start with a basic ITIL change management process. Organize a kickoff meeting with key stakeholders to discuss your findings. If there are compliance obligations like SOC, SOX, or HIPAA, make sure to point them out.
You should propose two main resolutions. First, fix the workflow: require valid business justifications for access requests, limit the number of approvers, and make sure approvers have the necessary training. Second, reset the security posture—plan a timeline to disable accounts and encourage people to share what they know about these users. Just prepare for potential disruptions since a complete reset might be necessary.
If all else fails, start revoking Global Admin roles gradually and see who raises concerns—they’ll be the ones who genuinely need access. You can then create specific admin accounts for those users instead of keeping their regular accounts elevated, which is a risky practice.
Related Questions
Biggest Problem With Suno AI Audio
Ethernet Signal Loss Calculator
Sports Team Randomizer
10 Uses For An Old Smartphone
Midjourney Launches An Exciting New Feature for Their Image AI
ShortlyAI Review