Admins have permanent Owner rights, that feels too broad
Privileged Identity Management (PIM) in Entra ID grants just-in-time rights: admin activates the role for 1-8 hours with approval or MFA. By default, read-only.
Try this first
- 1Activate Entra ID P2 (required) or a Microsoft 365 E5 licence for admins who'll use PIM. No P2, no PIM.
- 2Make roles 'eligible' instead of 'active'. The admin is assigned but read-only until they activate.
- 3Set approval workflow for the heaviest roles (Global Admin, Owner on subscription). On activation a second admin gets a prompt.
- 4Enable audit logs and alerts on role activation. If someone claims Global Admin at midnight, you need to see it.
- 5For break-glass: keep two 'permanent' Global Admin accounts outside PIM, with hardware MFA and strictly offline passwords. For when PIM itself is unreachable.
When to bring us in
If you face IT audit or NIS2 controls, a PIM baseline plus a one-time review with your security architect is worth preparing.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.