Smaller organizations are more prone to appoint IT admins with global admin rights as a “catch all” privilege, especially where the company might have started their cloud journey with Office 365. This might be compounded where in small companies, an admin will be expected to support a wider breath of technology. However, this goes against least privilege guidelines for companies looking to a “zero trust” model.
Currently as noted in the following article, Microsoft frowns upon companies exceeding 4 Global Admins as noted in image 1 below. Especially when it comes to project-based tasks which could be delegated using Azure AD’s Privileged Identity. Privileged Identity Management is a feature provided by Azure Premium 2, where eligible IT resources can submit requests for elevated roles. This process can require:
- Defining their reason for request
- Seeking another IT resource to approve the token
To highlight this, as shown in Image 2 below, a company has two resources who need to perform different IT tasks for a very limited time. Rather than providing IT admins a blanket Global Admin rights with no end date, companies could invoke Privileged Identity Management and provide target rights for a select period.
In Azure AD there are many roles which are defined out of the box along with the ability to create custom roles if warranted (as shown in Image 3 below). Another aspect of this feature is it is not exclusive to users of your Azure tenant, but also guest accounts as well. A use case for this where a vendor needs to be involved with consulting work or integration services, and limited rights need to be delegated for the duration of the project.
In summation, a key part of “zero trust” is being mindful of least privilege in managing your Azure tenant. In smaller companies, it is easy to exceed the recommended cap on Global Admins. Rather than providing a one size fits all for security, companies could explore a feature of Azure Premium 2, Privileged Identity Management. Privileged Identity Management provides the specific rights for a specific window of time.