Share via

PIM Best practice

Sirs 0 Reputation points
2023-10-31T21:55:46.94+00:00

Hi,

we have 2 Microsoft Admins and 2 Supporter.

Now to implement PIM I am looking for a best practice.

Should I permanently grant a few usually required roles? (Microsoft does not recommend that)

Should I group built in Roles to new custom ones and assign the Supporter this new Role in PIM?(e.g. User Admin and Intune Admin -> Custom_Support_Admin) Will this make it easier?

Should I leave it to them, to decide which of the ~50 Roles is required in a moment or just select a few that will be available for them and probably be good enough for 80% of the work.

Same questions for the admins

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 123.7K Reputation points MVP Volunteer Moderator
    2023-10-31T22:17:22.24+00:00

    Hi @Sirs ,

    all depends on your compliance and security requirements.

    Some best/good practices are:

    Least privilege principle: A user/admin should just have the required permission to do the job he needs to do.

    A good admin concept helps as well. This should cover topics like "how to get permissions", "how to maintain/modify permissions", "which permissions are required", "how to revoke permissions if not needed anymore".

    In my opinion the "Microsoft Entra Privileged Identity Management" is a good start. (What is Microsoft Entra Privileged Identity Management?)

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    0 comments
  2. Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator
    2023-11-03T05:38:34.3433333+00:00

    @Sirs

    Thank you for posting in Microsoft Q&A.

    Microsoft always recommends having permanent Global admin role assigned to 1-2 accounts. This is always safe option that will help you in getting your tenant access in case all other admin account gets locked out.

    Or You can follow below article to get your tenant access safe,

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

    Coming about the supporter accounts, it depends on your requirement as to what permissions you want to give to these accounts. OfCourse as you mentioned there are multiple default Azure AD roles that you can assign to them depending on what kind of permissions they want.

    Or you can also create a custom role depending on what kind of specific permissions they want.

    Assigning default/custom role to supporter accounts via PIM is always a good option.

    With PIM you can expire the role for supporter account on timely manner.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.