← daniellepel.com
Capability Profile
Capability Profile
Privileged Access Management
Admin access that exists only when it needs to
Privileged Access Management controls who can perform administrative actions, for how long, and under what conditions. In the Microsoft cloud, this is implemented primarily through Entra ID Privileged Identity Management.
Overview
My Experience
Key Work
Related
What It Is
Privileged Access Management is the practice of making sure administrative access exists only when legitimately needed, is scoped to the minimum required, and leaves a complete audit trail. In Entra ID, this is implemented through Privileged Identity Management, which replaces standing admin accounts with time-limited, approval-gated elevation workflows. A user eligible for Global Administrator is not a Global Administrator until they request elevation, the request is approved, and the session is active. When the window expires, the access is removed automatically.
Why It Matters
Standing privileged accounts are one of the most consistently targeted attack vectors in cloud environments. A Global Administrator account that exists continuously is a high-value target at all times. Eliminating standing privilege dramatically reduces the attack surface without eliminating the operational capability. Administrators can still perform every task they need to perform, they just do it through a process that creates accountability and limits the window of exposure. It is also one of the most common audit findings in Microsoft environments: persistent Global Admin accounts assigned to real user accounts, no access reviews, no approval workflows.
Core Capabilities
  • Just-in-time elevation for Entra ID directory roles and Azure resource roles
  • Time-limited access windows with automatic removal when the window expires
  • Approval workflows for high-risk roles requiring manager or peer sign-off
  • MFA enforcement at elevation time regardless of session authentication state
  • Full audit log of every elevation request, approval, and administrative action taken
  • Scheduled access reviews surfacing assignments that are anomalous or unused
In Practice

Across the NBT client portfolio, the baseline goal was consistent: no standing Global Administrator accounts assigned to real user accounts. PIM deployment meant developing a configuration pattern that could be adapted to each organization's administrative team structure and risk tolerance, including break-glass account controls, activation justification requirements, and fixed-schedule access reviews.

Privileged Identity Management deployment is a standard component of the identity governance work I do in every Microsoft environment. The baseline goal is consistent: no standing Global Administrator accounts assigned to real user accounts. Break-glass emergency access accounts are the only exception, and those are tightly controlled, monitored, and reviewed on a fixed schedule.
At NBT, deploying PIM across a portfolio of 25 tenants meant developing a consistent configuration pattern that could be adapted to each organization's administrative team structure and risk tolerance. Some clients had approval workflows with peer sign-off requirements; others had smaller IT teams where self-approval with justification was the appropriate design. The technical configuration is straightforward. The harder work is designing the role eligibility assignments correctly and getting the operational process documented so the team knows how to use it under pressure.
Access reviews are the ongoing operational discipline that PIM requires to stay effective. Without scheduled reviews, eligible assignments accumulate: former employees, changed roles, completed projects. I build access review campaigns into the governance framework at initial deployment so that the review cadence is established from the start, not added as an afterthought after the environment has drifted.
  • PIM deployment across 25 MSP client tenants - Eliminated standing Global Administrator accounts across the NBT client portfolio, replacing them with PIM-managed eligible assignments and just-in-time elevation workflows tailored to each organization's team structure and approval requirements.
  • Role eligibility design - Mapped administrative functions to appropriate Entra ID roles, applying least-privilege principles so no role assignment was broader than the tasks it needed to support. Avoided the common pattern of assigning Global Administrator where a more scoped role would suffice.
  • Break-glass account architecture - Designed and documented emergency access account procedures - accounts excluded from PIM and Conditional Access policies that exist specifically for scenarios where the PIM infrastructure itself is unavailable.
  • Access review program setup - Configured scheduled access review campaigns covering privileged role assignments, establishing review cadences and reviewer assignments at initial deployment so the governance process was operational from day one.
  • Azure resource role management - Extended PIM controls to Azure subscription and resource group roles, ensuring that Azure contributor and owner assignments were subject to the same just-in-time controls as Entra ID directory roles.
← Zero Trust Architecture Microsoft Defender Suite →