Hey everyone! I'm looking for some insights on best practices for managing role assignments in Privileged Identity Management (PIM). I've been checking out the Microsoft documentation, but it doesn't really cover everything I need. One particular area I'm unsure about is how to properly classify roles as 'eligible' versus 'permanent'. I read that roles tagged as 'privileged' should be eligible, but what about roles like the Global Reader? Some admins are asking if they can keep it as a permanent role, even though it's marked as 'privileged'. I'd love to hear about your setups and any advice you might have!
4 Answers
I strongly recommend configuring settings for privileged roles that enable privilege escalation or lateral movement, like Global Admin or Privileged Role Admin, to require explicit approvals and link them to strict conditional access policies. If your security operations center isn’t monitoring these activations, having roles as eligible without additional controls won’t effectively prevent abuse by threat actors with compromised identities.
The Global Reader role is definitely considered privileged since it gives users access to read almost all information in the tenant. When thinking about PIM best practices, it's crucial to conduct risk assessments and establish proper access review routines. If admins argue about needing a role daily, remind them that it mitigates risk by ensuring privileged roles aren't active outside of business hours, limiting the window for potential exploitation. Ideally, every role Microsoft marks as 'privileged' should fall under PIM management, but whether they are permanently eligible or subject to periodic renewal will depend on your organization's specific risk assessments.
I agree about the Global Reader role! Interestingly, its classification as privileged is partly due to the access it provides to BitLocker recovery keys.
In my experience, I only keep a single break-glass account with permanent Global Admin access. All other privileged roles are set to eligible via PIM to maintain security and control.
Working as a Senior Security Engineer in a Fortune 500, I can share that we stick to a policy where no account is allowed standing access across our environment. We use PIM groups to create various 'daily' groups for teams that need frequent access. For roles that aren't used often, users can elevate access temporarily with approval. This system of nested groups improves auditing and permission reporting. Ideally, you wouldn't have permanent assignments for any roles, but smaller companies might find it tough to maintain that. We tend to keep Global Reader off the table, opting for more specific roles instead.
Exactly! You captured my thoughts perfectly. Thanks for sharing!