Examine best practices when configuring administrative roles

  • 4 minutes

This unit describes some of the key best practices for using Microsoft Entra role-based access control. Microsoft derived these best practices from its experience over the years with role-based access control and the experiences of its customer base.

1. Manage to least privilege

First and foremost when planning your access control strategy is to manage to least privilege. Least privilege means you grant your administrators exactly the permissions they need to do their job.

There are three aspects to consider when assigning a role to your administrators:

  • a specific set of permissions
  • over a specific scope
  • for a specific period of time

Important

Organizations should avoid assigning broader roles at broader scopes even if it initially seems more convenient to do so. By limiting roles and scopes, organizations limit what resources are at risk if their security principle ever becomes compromised.

Microsoft Entra role-based access control supports over 65 built-in roles. There are Microsoft Entra roles to manage directory objects like users, groups, and applications. There are other roles to manage Microsoft 365 services like Exchange, SharePoint, and Intune.

To better understand Microsoft Entra built-in roles, see Understand roles in Microsoft Entra. If there isn't a built-in role that meets your need, you can create your own custom roles.

Follow these steps to help you find the right role.

  1. Sign in to the Microsoft Entra admin center.

  2. In the left-hand navigation pane, select Show more.

  3. In the left-hand navigation pane, select Roles & admins, and then under this group, select Roles & admins to see the list of Microsoft Entra roles.

  4. In the Roles and administrators | All roles page, you can optionally use the +Add filters feature to create a filter that narrows down the list of roles.

    Screenshot of the Roles and administrators page in the Microsoft Entra admin center.

Refer to the Microsoft Entra built-in roles documentation. The system lists together the permissions associated with each role for better readability. To understand the structure and meaning of role permissions, see How to understand role permissions.

Additional reading. For more information, see Least privileged role by task.

2. Use Privileged Identity Management to grant just-in-time access

One of the principles of least privilege states that you should only grant access for a specific period of time. Microsoft Entra Privileged Identity Management (PIM) lets you grant just-in-time access to your administrators. Microsoft recommends that you enable PIM in Microsoft Entra ID.

In PIM, you can make a user an eligible member of a Microsoft Entra role. The user can then activate the role for a limited time when needed. Users assigned the Privileged Role Administrator role can manage PIM and update role assignments for other users. Both the Global Administrator and the Privileged role administrator can assign administrator roles. However, Microsoft encourages organizations to have the Privileged role administrator manage administrator role assignments through Microsoft Entra PIM based on the principle of least privilege.

PIM automatically removes access when the timeframe expires. You can also configure PIM settings to require approval or receive notification emails when someone activates their role assignment. Notifications provide an alert when administrators add new users to highly privileged roles.

3. Turn on multifactor authentication for all your administrator accounts

Based on Microsoft's studies, users have a 99.9% less likely chance of becoming compromised if they use multifactor authentication (MFA).

Organizations can enable MFA on Microsoft Entra roles using two methods:

4. Configure recurring access reviews to revoke unneeded permissions over time

Access reviews enable organizations to review administrator's access regularly to make sure only the right people have continued access. Organizations should regularly audit their administrators. Doing so is crucial for following reasons:

  • A malicious actor can compromise an account.
  • People often move across teams within a company. If an organization doesn't enable auditing, its users can amass unnecessary access over time.

Additional reading. For information about access reviews for roles, see Create an access review of Microsoft Entra roles in PIM.

For more information about access reviews of groups and assigned roles, see Create an access review of groups and applications in Microsoft Entra access reviews.

5. Limit the number of Global Administrators to less than five

As a best practice, Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization. Because Global Administrators hold the keys to the kingdom, organizations should keep the attack surface low.

Important

This is all the more reason for organizations to manage to least privilege and only grant their administrators exactly the permissions they need to do their job.

As stated previously, organizations should protect all Global administrator user accounts with multifactor authentication.

By default, when a user signs up for a Microsoft cloud service, the system automatically creates a Microsoft Entra tenant and makes the user a member of the Global Administrators role. Users assigned the Global Administrator role can read and modify every administrative setting in a Microsoft Entra organization. With a few exceptions, Global Administrators can also read and modify all configuration settings in their Microsoft 365 organization. Global Administrators can also elevate their access to read data.

Tip

Microsoft recommends that organizations keep two "break glass" accounts that they permanently assign to the Global Administrator role. They should also ensure these accounts don't require the same MFA mechanism as their normal administrative accounts to sign in, as described in Manage emergency access accounts in Microsoft Entra.

6. Use groups for Microsoft Entra role assignments and delegate the role assignment

If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Microsoft Entra groups instead of individual users. You can also manage role-assignable groups in PIM to ensure there are no standing owners or members in these privileged groups. For more information, see Privileged Identity Management (PIM) for Groups (preview).

You can assign an owner to role-assignable groups. Because the owner decides who gets added to or removed from the group, they indirectly decide who gets the role assignment. In this way, a Global Administrator or Privileged Role Administrator can delegate role management on a per-role basis by using groups. For more information, see Use Microsoft Entra groups to manage role assignments.

7. Use cloud native accounts for Microsoft Entra roles

Organizations should avoid using on-premises synced accounts for Microsoft Entra role assignments. The reason behind this best practice is that if an on-premises account becomes compromised, it can also compromise the company's Microsoft Entra resources.