Hey everyone! I'm looking to get some insights on the best practices for managing Privileged Identity Management (PIM) assignments. I've been diving into the Microsoft documentation, but it hasn't really clarified a few things. Specifically, I'm trying to determine which roles should be classified as 'eligible' versus 'permanent'. I noticed that many roles have a 'privileged' tag and I'm considering making those eligible, while keeping others permanent. A few admins have inquired about making the Global Reader role permanent as well, but since it also has a 'privileged' designation, I'm unsure how to approach that. I'm eager to hear how others have set up PIM in their environments!
4 Answers
Just sharing a bit about our practice: No accounts should have permanent access to any roles. Instead, we implement PIM through various group setups. Teams are assigned to daily groups for frequent roles, and they can elevate their access to more privileged roles temporarily with approvals. This not only helps with audits but also keeps security tighter. In an ideal scenario, aim to avoid permanent assignments, but I get that it can be tough for smaller organizations. We never assign Global Reader because there are better ways to limit visibility with more specific role combinations.
The Global Reader is definitely a privileged role because it allows access to a lot of sensitive data. To figure out your PIM setup, think about risk assessments and regular access reviews. When users complain, it's good to explain the importance of these measures. Even if someone activates the same role daily, not having it active outside business hours reduces risks. Just about any role that Microsoft marks as 'privileged' should probably be tied into PIM. Making them permanently eligible or requiring regular renewals is based on your individual risk assessments.
You nailed it, thanks for your insights!
Totally agree about the Global Reader—it's surprising how much it can access, like BitLocker keys.
I like to keep only a break-glass account with permanent Global Admin access. All other privileged roles I’ve set up as eligible through PIM. This way, I maintain tight control while ensuring necessary access when needed.
Privileged roles that lead to escalation, like Global Admin or privileged role admin, should always be set to require approval and ideally tied to strict access policies. If your SOC isn't monitoring these roles actively, just making them eligible won't be much help in stopping a threat that arises from a compromised account.
Thanks for the detailed breakdown, that’s super helpful! Good luck with your challenges ahead.