Require approval to modify access to Privileged groups

Question

We recently worked with a 3rd party Security company to assess our Azure env. We did get hit for having one admin still set as a global admin (we are still in the process of implementing Privileged Identity Management). We know it was a big strike and they mentioned if the admin ever went rogue, he could remove access for everyone and lock people out (which we understand). But the admin brought up a great question. What is stopping him from logging in, requesting Global Admin via PIM and then going full rogue that way? Is there a way we can set up some sort of approval process for adding/modifying/removing users from a Privileged group or from PIM set up? We do have alerting set up on this, but that won't help us if we are removed. Hope this makes sense. Thought it was an interesting perspective on access

Answer 1

You can certainly set up approvals in PIM. However, having at least two "break-glass" GA accounts is recommended, so you can use this as an excuse :)

As detailed in the official guidance on this, the account(s) should have permanent assignment as to remove any dependence on PIM. To prevent any abuse, store the credentials for said account(s) in a manner that requires additional approval (for example, use a FIDO key stored in a locked cabinet/safe and make sure the GA does not have direct access to it).