What Is Azure Privileged Access Management?
Azure privileged access is the set of identities, roles, policies, and workflows that control administrative power in Microsoft Entra ID, Microsoft 365, Azure, and connected services. In Microsoft Entra ID, roles such as Global Administrator, Privileged Role Administrator, Conditional Access Administrator, Security Administrator, and Application Administrator can change security settings, assign privilege, manage applications, or create durable access paths.
That makes privileged access a tenant control-plane issue. A compromised privileged identity can change Conditional Access policies, add or modify role assignments, register applications, alter authentication methods, and weaken the controls defenders rely on during response.
Privileged Identity Management (PIM) reduces standing exposure by letting administrators use eligible assignments and time-bound activation instead of keeping powerful roles active all the time. PIM is not just a UI feature. It is a control model: activate only when needed, require stronger authentication or approval where appropriate, record the reason, and review the role after use.
How Azure Privileged Access Fails
The same privileged-access failures appear repeatedly in real tenants:
- too many Global Administrators
- permanent role assignments where eligible assignments would be sufficient
- admin accounts without strong authentication coverage
- emergency accounts that exist but are not monitored or tested
- privileged service principals and applications excluded from human admin reviews
- PIM deployed for some roles but not for the roles attackers care about
- Conditional Access exclusions that remove admin accounts from the intended control path
The risk is not only the number of administrators. A tenant with a small number of Global Admins can still be exposed if those identities are permanent, phishable, reused for daily work, or excluded from policy. A tenant with many scoped administrators can be safer if each role is justified, eligible, monitored, and protected with strong authentication.
Why Global Administrator Is Different
Microsoft documents Global Administrator as a highly privileged role that can read and modify almost every administrative setting in Microsoft Entra ID, with a few exceptions, and can also read and modify many Microsoft 365 administrative settings. Global Administrator can also elevate access in some scenarios. That makes it different from a narrow operational role such as User Administrator or Reports Reader.
Use the least privileged role that can complete the task. If the work is application consent, Conditional Access change, Exchange administration, or security investigation, assign the role that matches the job instead of defaulting to Global Administrator. This reduces the blast radius when an account, session, or approval workflow fails.
The Attack Chain
Step 1 - Enumerate Privileged Access
An attacker with directory read visibility often starts by enumerating directory roles, role members, privileged groups, applications, and service principals. They are looking for accounts with standing power, weak authentication, or inactive owners.
Step 2 - Target the Weakest Admin Path
The easiest target might not be the obvious Global Administrator. It could be a stale Privileged Role Administrator, an application owner with broad app permissions, an emergency account with weak monitoring, or an admin account excluded from Conditional Access because of a past outage.
Step 3 - Convert Access Into Persistence
Once privileged access exists, the attacker can try to add another role assignment, change authentication methods, weaken a policy, create an application credential, or add a service principal permission path. The persistence path depends on the roles held by the compromised identity.
Step 4 - Hide in Legitimate Administration
Privileged changes are often rare but legitimate. Attackers benefit when the tenant has no baseline for who activates PIM, who approves requests, which accounts should be permanent, and which applications are allowed to hold high privilege.
Detection
Entra ID Audit Log Events
Monitor administrative changes that alter the tenant control plane:
| Operation Area | What to Review |
|---|---|
| Role assignments | New members added to privileged roles, especially Global Administrator and Privileged Role Administrator |
| PIM activity | Activations, approvals, denied requests, and role setting changes |
| Authentication methods | Changes to privileged users' authentication methods |
| Conditional Access | Policy creation, update, deletion, or exclusion changes |
| Applications | New app registrations, new credentials, new owners, and high-privilege consent |
| Emergency accounts | Any sign-in, credential change, or role change |
PIM Activity Signals
PIM should make privilege more observable. Review:
- activation outside normal business or maintenance windows
- activation for roles the user does not normally use
- activation without a useful justification where justification is required
- approval by an unexpected approver
- repeated activation by accounts that also show sign-in risk
- permanent assignments created after a PIM rollout
Detection Caveats
Do not treat one audit event as proof of compromise. A role assignment might be part of a legitimate project. The alert should include context: actor, target, role, assignment type, activation duration, approval path, device, location, risk level, and whether the user normally performs that role.
Remediation
The goal is not to remove all administration. The goal is to remove unnecessary standing privilege and make privileged access explicit, time-bound, strongly authenticated, and reviewable.
1. Reduce Global Administrator Count
List all Global Administrator assignments and classify each account:
- normal human administrator
- emergency access account
- service account or automation identity
- stale account
- external or guest identity
- unknown owner
Normal human administrators should usually not need permanent active Global Administrator. Convert them to narrower roles or eligible assignments through PIM where licensing and operations allow it. Keep the emergency-access exception separate instead of treating it as a routine admin model.
2. Configure PIM Role Settings
For high-value roles, configure PIM settings deliberately:
- eligible rather than permanent active assignment for normal admins
- activation duration appropriate to the role
- MFA or Conditional Access authentication context on activation where required
- approval for especially sensitive roles
- business justification and ticket information where the process needs auditability
- notifications to the team that owns the role
- regular access reviews for standing and eligible assignments
Microsoft PIM role settings support controls such as approval, justification, ticket information, and assignment duration. Ticket information is an information field, not automatic validation against a ticketing system, so do not assume it proves change authorization by itself.
3. Protect Emergency Access Accounts Correctly
Emergency access accounts are intentionally different. Microsoft recommends two or more cloud-only emergency access accounts for break-glass scenarios, and Microsoft guidance says those Global Administrator assignments should be active permanent rather than eligible in PIM. That prevents a PIM dependency from locking the tenant during an outage.
That exception does not mean weak controls. Emergency accounts should be cloud-only, protected with phishing-resistant authentication where possible, stored securely, monitored on every sign-in, and validated regularly. They should not be used for routine administration.
4. Enforce Strong Authentication for Privileged Users
Require strong authentication for privileged users and roles. For the highest-value roles, prefer phishing-resistant methods where licensing, device support, and operations allow it. Also verify that admins are not bypassing the policy through trusted locations, excluded groups, stale test accounts, or legacy workflows.
5. Include Applications and Service Principals
Privileged access is not only human. Review service principals, app registrations, credentials, owners, and application permissions. A tenant can have a clean Global Administrator list and still have an application path that can read directory data, modify objects, or maintain persistence.
Review Cadence and Ownership
Privileged access should have an owner and a review cadence. PIM reduces standing access, but it does not automatically prove that every eligible assignment is still justified. At least once per review cycle, compare each privileged role assignment against the current operating model: who owns the role, what task requires it, whether the assignment should remain eligible, whether activation settings are still strict enough, and whether the user still belongs in the admin population.
Also review changes after migrations, mergers, incident response, emergency access use, and major SaaS onboarding. Those are the moments when temporary admin paths often become permanent.
Validation After PIM Rollout
After cleanup, validate effective security rather than policy existence:
- confirm normal admins are eligible, not permanently active, for high-value roles
- confirm emergency accounts are the only intentional permanent Global Administrator exceptions
- perform a controlled activation and confirm MFA, approval, duration, and logging behave as expected
- review audit logs for new role assignments after the cleanup
- verify Conditional Access does not exclude privileged accounts unintentionally
- review service principals and app registrations for privilege equivalent to admin roles
- confirm alerting fires on emergency account sign-in and privileged role assignment
A good validation test asks: if this admin password or session is stolen today, what privilege does the attacker have immediately, and what extra controls must they satisfy before exercising more?
How EtcSec Detects This
EtcSec audits Azure privileged access configuration on every scan and focuses on the conditions that turn one compromised account into tenant-wide control.
PA_TOO_MANY_GLOBAL_ADMINS identifies tenants with excessive Global Administrator count.
PA_PERMANENT_ADMIN_ASSIGNMENTS highlights standing privileged assignments that should be reviewed for conversion to eligible access.
PA_PIM_NOT_ENABLED surfaces tenants where just-in-time privileged access control is absent or ineffective.
PA_GLOBAL_ADMIN_NOT_MFA identifies Global Administrator accounts without strong authentication coverage.
Related Controls
Review privileged access together with Azure Identity Security: Why MFA Alone Is Not Enough, Azure Identity Protection: Blocking Leaked Credentials, Azure Conditional Access: MFA Bypass With Stolen Passwords, Azure Guest Accounts: The Forgotten Attack Surface in Your Tenant, and Azure App Registrations: Over-Privileged Tenant Apps. Standing admin privilege is rarely the only issue in a tenant.
Primary References
Continue Reading
Kerberos RC4 Fallback in Active Directory: How to Detect It, Why It Still Happens, and How to Remove It
CVE-2026-31431 (Copy Fail): What the Linux Kernel Vulnerability Affects and How to Mitigate It
