Best Practices to implement Entra PIM

NeelDarji-7992 91 Reputation points
2024-03-22T16:57:40.4533333+00:00

I am implementing Entra PIM. I want few points on best practices that are highly recommended to follow, for example, Break Glass, Emergency Accounts, etc..

Can anyone help me to prepare a list?

Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2024-03-22T17:08:36.9866667+00:00

    Hi, more info on BreakGlass:

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

    Its important to exclude these from MFA/Conditional Access and monitor logons to them. Have at least 2 Break glass accounts.

    Otherwise, PIM and least priv best practices:

    https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-iam-development-best-practices

    Lots to read, but worth it:

    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/

    0 comments No comments

  2. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2024-03-22T17:11:53.45+00:00
    0 comments No comments

  3. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2024-03-22T17:13:49.8333333+00:00

    Refer to

    https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan

    and

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

    We recommend you keep zero permanently active assignments for roles other than the recommended two break-glass emergency access accounts, which should have the permanent Global Administrator role.


    hth
    Marcin

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.