Eliminating standing administrative privileges across a 5,000-seat financial institution using Entra PIM, Conditional Access, and automated access reviews - reducing the privileged attack surface by 94% without disrupting operations.
A 5,000-seat financial services organisation had been granting permanent administrative access as a matter of operational convenience for years. Global Administrator, Privileged Role Administrator, User Access Administrator, Exchange Administrator - these roles were assigned as standing permissions to dozens of IT staff, with no time limits, no approval workflows, and no audit trail beyond the occasional manual review that happened when something went wrong.
The problem was not that administrators were acting maliciously. The problem was that permanent privileged credentials are a magnet for attackers. A phishing email landing in the inbox of an account with Global Administrator access is not an account compromise - it is a tenant compromise. The blast radius of a single credential theft covers the entire Microsoft 365 and Azure estate.
A regulatory examination flagged the standing privilege model as a material finding. The business had 90 days to demonstrate a credible remediation plan and 12 months to show full implementation. That examination was the forcing function. The technical direction was clear: Entra Privileged Identity Management, Conditional Access for privileged roles, and a proper identity governance programme built around access reviews and lifecycle automation.
The first week of the project was a discovery audit. What we found was worse than the preliminary assessment suggested.
There were 47 active Global Administrator assignments in the tenant. Microsoft recommends two to five for a tenant of this size. Of the 47, eleven belonged to accounts that were service accounts or shared mailboxes with no MFA. Six belonged to accounts of staff who had left the organisation. Three belonged to accounts that had never been used for any Global Admin operation in the prior 12 months.
Across all privileged Entra roles, there were 312 standing assignments. Across Azure subscriptions, there were a further 284 Owner or Contributor assignments held by user accounts rather than service principals, most without justification documentation.
Break-glass emergency access accounts did not exist. The business had no documented procedure for what to do if PIM became unavailable or if all eligible administrators were unreachable. This meant that implementing PIM without first creating break-glass accounts would introduce a genuine lockout risk.
MFA enforcement was inconsistent. Conditional Access covered standard users well, but there was a gap: the legacy authentication exclusion list included several accounts that held privileged roles, and the MFA registration policy had never been applied to guest accounts with role assignments.
The target model had three tiers of administrative access, each with progressively stricter activation requirements.
Tier 1 covered low-sensitivity roles with limited blast radius: Teams Administrator, SharePoint Administrator, Intune Administrator. These roles were made PIM-eligible with self-activation, no approval required, maximum 8-hour session, and justification text mandatory. Activation required MFA.
Tier 2 covered medium-sensitivity roles: Exchange Administrator, Security Administrator, Compliance Administrator, Application Administrator. These required a single approver from the identity team, maximum 4-hour session, and justification text. Activation required MFA plus a compliant device signal from Conditional Access.
Tier 3 covered the highest-sensitivity roles: Global Administrator, Privileged Role Administrator, User Access Administrator, Security Reader with tenant-wide scope. These required two approvers including the CISO or their delegate, maximum 2-hour session, mandatory ticket reference, and activation was restricted to a named set of Privileged Access Workstations. Any Tier 3 activation triggered a real-time alert to the SOC.
No role in any tier could be permanently assigned except the two break-glass accounts. Every other assignment was eligible-only.
Created two cloud-only break-glass Global Administrator accounts excluded from all Conditional Access policies. Stored credentials in physically secured locations with dual-custody access. Configured Sentinel alert rules to fire within 60 seconds of any break-glass sign-in. Documented the break-glass procedure including when to use it, how to access credentials, and post-use rotation requirements. Published the procedure to the incident response runbook. Only then did any PIM configuration begin.
Configured PIM settings for all 24 privileged Entra roles and 18 Azure subscription roles in scope. Each role received a tier classification, maximum activation duration, approval requirements, justification enforcement, MFA on activation, and notification settings. Role settings were documented in a configuration register that became the audit evidence for the regulatory examination. All configuration changes to PIM role settings were gated behind a change management workflow.
Migrated all 312 Entra role assignments and 284 Azure RBAC assignments from permanent to eligible over a six-week period. Ran in parallel operation: eligible assignments were created before permanent assignments were removed, giving administrators two weeks to verify PIM activation worked for their role before the standing assignment was revoked. Communicated the migration schedule to all affected users with activation instructions and a test window. Support tickets during migration averaged 3 per day, all resolved within one business day.
Created three Conditional Access policies targeting Entra administrator roles. The first enforced phishing-resistant MFA (FIDO2 or Windows Hello for Business) for all Tier 2 and Tier 3 role activations. The second restricted Tier 3 activations to compliant, Intune-managed devices only. The third applied a continuous session control requiring re-evaluation every 60 minutes for any active privileged session. Legacy authentication was blocked unconditionally for all accounts with any role assignment.
Deployed quarterly access reviews for all Tier 2 and Tier 3 eligible assignments using Entra ID Governance. Reviews were assigned to role owners rather than the identity team, making business accountability explicit. Reviewers who did not respond within the review window had their assignments automatically removed. Monthly access reviews were created for Global Administrator eligible assignments specifically. An automated workflow monitored Entra audit logs and removed eligible assignments for accounts that had been inactive for 90 days.
Built a detection workbook covering the most critical privileged identity abuse scenarios: Global Admin activation outside business hours, multiple Tier 3 activations within 30 minutes by the same account, PIM role setting changes without a corresponding change ticket, activation from an IP address outside known corporate ranges, and any sign-in to a break-glass account. Each detection linked to a SOAR playbook that suspended the account pending investigation and notified the identity team and SOC simultaneously.
The most operationally difficult problem in the project was not technical. It was approval chain design for out-of-hours incidents.
The initial design required a single approver for Tier 2 roles and two approvers for Tier 3. In a standard business day, this worked perfectly. At 2am on a Sunday when an incident required Exchange Administrator access to investigate a suspected data exfiltration, the design created a 45-minute delay while an on-call approver located their phone, authenticated, and processed the approval in PIM.
We solved this with two changes. First, a defined on-call rotation for PIM approvers was created and integrated with the existing incident response on-call schedule. The on-call approver was expected to respond to PIM approval requests within 15 minutes during their on-call window. Second, for declared major incidents, a policy was created allowing a single Tier 3 approval from the incident commander rather than two approvers, with mandatory post-incident review. The activation window was reduced to 1 hour for incident-context activations and renewal required a new approval.
This was not a security compromise. A 45-minute delay in privilege activation during an active incident is a genuine operational risk. The design had to balance security controls against the organisation's ability to respond to threats.
// Detect Tier 3 privileged role activations outside business hours
// Tier 3 roles: Global Administrator, Privileged Role Administrator, User Access Administrator
// Business hours: Monday-Friday 07:00-19:00 CET
let Tier3Roles = dynamic([
"Global Administrator",
"Privileged Role Administrator",
"User Access Administrator"
]);
let BusinessHoursStart = 7;
let BusinessHoursEnd = 19;
AuditLogs
| where TimeGenerated >= ago(1d)
| where OperationName == "Add member to role completed (PIM activation)"
| extend RoleName = tostring(TargetResources[0].displayName)
| where RoleName in (Tier3Roles)
| extend
ActivatingUser = tostring(InitiatedBy.user.userPrincipalName),
IPAddress = tostring(InitiatedBy.user.ipAddress),
HourOfDay = hourofday(TimeGenerated),
DayOfWeek = dayofweek(TimeGenerated)
| where
HourOfDay < BusinessHoursStart
or HourOfDay >= BusinessHoursEnd
or DayOfWeek == time(0) // Sunday
or DayOfWeek == time(6d) // Saturday
| join kind=leftouter (
AuditLogs
| where OperationName == "Add member to role completed (PIM activation)"
| where TimeGenerated >= ago(30d)
| summarize PriorActivations = count() by InitiatedBy_UPN = tostring(InitiatedBy.user.userPrincipalName)
) on $left.ActivatingUser == $right.InitiatedBy_UPN
| project
TimeGenerated,
ActivatingUser,
RoleName,
IPAddress,
HourOfDay,
DayOfWeek,
PriorActivations = coalesce(PriorActivations, 0),
IsFirstTimeActivation = (coalesce(PriorActivations, 0) == 0)
| sort by TimeGenerated descBreak-glass accounts are the most important thing you do before anything else. Not the second thing. The first. A misconfigured Conditional Access policy or a PIM setting error can lock every administrator out of the tenant simultaneously. The break-glass accounts are the ejector seat. You do not strap into the cockpit before you verify the ejector seat works.
The number of Global Administrator assignments in a tenant is a direct measure of how seriously an organisation takes identity security. Forty-seven Global Administrator assignments is not a configuration problem. It is a cultural problem. The technical fix takes a day. The cultural change took six months of education, escalation, and in some cases, direct conversations with department heads about why their team lead did not need Global Admin to manage a SharePoint site.
Approval workflow design is operational design, not just security design. Every approval step adds latency. In a routine world, latency is acceptable. In a security incident, latency can be the difference between containing a breach and losing the tenant. The on-call approver rotation and the incident commander exception were not security compromises. They were the difference between a control that holds under pressure and one that gets bypassed.
Access reviews only work if reviewers are accountable. Assigning access reviews to the identity team means the identity team spends three weeks every quarter doing housekeeping for roles they do not understand. Assigning access reviews to role owners means the person who knows why the access exists is making the decision. The identity team should own the process, not the decisions.
PIM activation data is a goldmine for threat detection. Before PIM, privileged operations were invisible - they happened through standing assignments with no activation event to observe. After PIM, every privileged action is preceded by a logged, attributed activation request. The Sentinel detection coverage for privileged identity abuse went from zero to fourteen rules. That visibility alone justifies the operational overhead of PIM, regardless of the security controls it implements.