Share via

Steps to grant Global Reader access with MFA and PIM

EnterpriseArchitect 6,386 Reputation points
2025-06-04T13:17:25.9333333+00:00

I would like to engage an external auditor to conduct assessments and security posture checks on my Azure platform.

To grant them access to all Azure subscriptions, the Global Reader role must be assigned to them at the Root Management level.

The external auditor will need to log in using their email address to access my Azure platform, which will be secured with multi-factor authentication (MFA) or two-factor authentication (2FA) and then protected by PIM to elevate the privilege for 8 8-hour duration by standard.

Could you please outline the steps I need to take to accomplish this?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Marcin Policht 91,150 Reputation points MVP Volunteer Moderator
2025-06-04T13:28:29.3633333+00:00

Global Reader is an Entra role - I assume you're referring to the Reader Azure RBAC role.

Step 1: Prepare the external auditor's account

  1. Ensure the auditor has an Entra ID account:
    • If the auditor is external (outside your organization), use Entra ID B2B collaboration to invite them as a guest user by their email.
    • From the Entra Admin Center, go to Users > New guest user and invite the auditor's email.

Step 2: Assign the Reader role at Root Management Group

  1. Navigate to Management Groups in Azure Portal:
    • Go to Azure Portal > Management Groups.
    • Locate the Root Management Group (the top-level management group that contains all subscriptions).
  2. Assign the Reader role:
    • Select the Root Management Group.
    • Go to Access control (IAM) > Add role assignment.
    • Choose the Reader role.
    • Assign it to the auditor's guest user account.

Step 3: Enforce Multi-Factor Authentication (MFA) for the auditor

  1. Enforce MFA via Conditional Access:
    • Go to Entra ID > Security > Conditional Access.
    • Create a policy targeting the external auditor's user account or group.
    • Under Grant controls, require Multi-Factor Authentication.
    • Enable the policy.

Step 4: Configure Privileged Identity Management (PIM) for Just-In-Time Access

  1. Enable PIM for the Reader role on the Root Management Group:
    • Go to Entra ID > Privileged Identity Management > Azure resources.
    • Select the Root Management Group as the scope.
    • Find the Reader role.
    • Assign the auditor user as an Eligible member (not active by default).
  2. Configure Activation settings:
    • Require MFA on activation.
    • Set the activation duration to 8 hours.
    • Enable Justification for audit trail.
    • Optionally require approval for activation.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.