Having constraints on the number of global administrators within your Office 365 tenant is important for a variety of reasons – data breaches, etc. But the issue with Microsoft’s native solution, Privileged Identity Management, in which administrative privileges are granted to non-global admins only for a limited period.
And yet, assigning all administrative responsibilities to just a few members of a large organization simply isn’t a workable solution either. Today, we’ll look at two possible routes to assign administrative privileges to users within your M365 tenant who are not global administrators.
An administrator of Microsoft 365 will have a privileged account, which means that they can manage users, groups, devices, and settings within a Microsoft 365 environment.
The specific tasks an administrator can perform within the tenant will depend on which of the built-in Microsoft administrative roles they have been assigned.
The most far-reaching set of privileges are assigned to global administrators, but there are 81 others and counting, which means that there is a significant amount of M365-specific knowledge and skill required to assign such roles effectively.
A normal end-user has no privileges to make changes by default, other than such user activities as editing and creating documents. Accounts such as these are often referred to as “standard user accounts.”
Privileged Identity Management (PIM) is a native capability provided by Microsoft that can be used to control administrative access to the tenant.
It can be used, for example, so that someone with a standard user account can be granted administrative privileges within your M365 tenant for “X” number of hours.
After which these privileges will be removed so that they will need to be requested again for the user to regain administrative access.
The advantage of PIM is that those with standard user accounts will only have privileged access for a short period.
Once this window of time has passed, such operators must then request administrative access from a global administrator again and justify why they need it.
The use of admin privileges is tracked, and alerts can be sent when these privileges are invoked.
Privileged Identity Management is only for the cloud environment (Azure AD) – it does not restrict access to the on-premises portion of a hybrid environment, or one in which M365 resources are distributed across both on-premises data centers and the cloud.
In order to extend PIM type access to hybrid deployments of M365, an organization would require an additional Microsoft feature called Privileged Access Management (PAM).
While giving privileged access for short periods rather than doing so permanently can reduce a non-global administrator’s security footprint.
There is still a high likelihood that they will be given an administrative role that has more permissions than required to perform the task at hand, which constitutes an unnecessary security risk.
Moreover, PIM does not control who can be managed. It only controls how long an administrator can perform management tasks.
Even if an organization has implemented PIM, the chances are high that they won’t have implemented it for all roles, as this would be inherently inefficient.
For example, someone working on a service desk who then needs to request elevated privileges every time they need to reset a password would be enormously costly, both in terms of that user’s time and that of the global administrator who would have to review and approve the request.
CoreView can restrict access to operators so they have the absolute minimum permissions and can only manage a specific set of objects for an extended time – called Virtual Tenants.
Thus, it reduces the risk of a given user having too many administrative permissions, and it thereby reduces their security footprint to a needs-only basis and no more.
Moreover, these additional permissions can be lifelong so that there is no need for a continual request and approval process required to facilitate regular business operations.
Both CoreView and PIM allow non-administrators to perform administrative actions in a relatively controlled way.
However, PIM’s fundamental approach of limiting the duration of such administrative privileges.