I'm looking into the permissions required for ManageEngine tools, specifically for access to Entra ID administrator roles. The documentation suggests that both the Privileged Authentication Administrator and the Privileged Role Administrator roles are needed, which seems excessive. Has anyone managed to use these tools without assigning those high-level permissions? My goal is to disable any features that would modify privileged roles, as I feel uncomfortable granting them such access when we don't utilize ManageEngine for managing Entra roles, especially critical ones like Global Administrators. I want to avoid potential security risks where credentials could be misused to access privileged accounts.
3 Answers
I think ManageEngine has its pros and cons. While some people say it's not the best, it can be a solid choice when you're on a budget. I’ve used a few of their tools, and while they might not be ideal, they serve their purpose. But I totally understand not wanting to risk security for savings.
Honestly, you're right to be cautious about those permissions. If your use case doesn’t require managing roles or authentication, it’s better not to grant them. The documentation you linked actually mentions that you can assign minimal roles to the service account. Just check which features actually need the higher permissions and base your decision on that.
I've seen a lot of cloud apps requiring excessive permissions that don’t seem necessary. You should definitely audit the app registration in Entra ID to see what Graph API permissions are being used versus what they’re asking for. A lot of services request more permissions than they actually need, which can create vulnerabilities. Regular audits of your app registrations are crucial to maintaining security.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures