The 3 AM Oncall That Changed Everything
Last year, a sysadmin at a mid-sized company got paged at 3 AM. Exchange was down. The fix required Global Admin rights. Their manager, half-asleep, approved the elevation in Teams. Problem solved by 4 AM.
Six months later, that sysadmin still had Global Admin. Nobody remembered to remove it. Nobody was checking.
This is privileged role drift—and it's happening in your tenant right now.
What Is Privileged Role Drift?
Privileged role drift occurs when your Entra ID role assignments slowly deviate from their intended state. It's not a single event. It's the accumulation of small decisions, forgotten cleanups, and good intentions gone stale.
The pattern is predictable:
- Emergency access granted → Never revoked
- Temporary project role → Project ends, role stays
- Contractor onboarded with admin rights → Contract ends, account remains
- "Just give them Global Admin, it's easier" → Becomes permanent policy
Each individual decision seems reasonable. The cumulative effect is a tenant where far too many people have far too much access.
Why This Happens to Every Organization
The Pressure of the Moment
When production is down, nobody's thinking about least privilege. They're thinking about getting systems back online. The "we'll clean this up later" checkbox gets mentally checked—and then forgotten.
No Built-in Expiration
Entra ID role assignments are permanent by default. Unless you're using Privileged Identity Management (PIM) with time-bound assignments, that Global Admin role stays until someone manually removes it.
Most organizations aren't using PIM. Even those that are often have legacy standing assignments from before PIM was configured.
The Knowledge Gap
The person who granted the access might leave. The person who received it might change teams. Six months later, nobody remembers why the assignment exists—but nobody wants to remove it and potentially break something.
Audit Fatigue
Even organizations that review access periodically suffer from audit fatigue. When you're staring at a list of 50 role assignments, it's tempting to approve them all and move on.
The Real-World Consequences
Expanded Blast Radius
Every standing admin account is an attack vector. If a Global Admin's credentials are compromised—through phishing, malware, or credential stuffing—the attacker has immediate, unrestricted access to your entire tenant.
With proper controls, a compromised account might give an attacker access to a mailbox. With standing Global Admin, they can:
- Access every mailbox in the organization
- Create new admin accounts (persistence)
- Disable security controls and audit logging
- Exfiltrate data from SharePoint, OneDrive, and Teams
- Pivot to Azure resources if the tenant is connected
Compliance Failures
Every major compliance framework requires least-privilege access:
- SOC 2: Logical access controls must restrict access to authorized users
- ISO 27001: Access rights shall be reviewed at regular intervals
- NIST 800-53: Employs the principle of least privilege
- CIS Controls: Establish and maintain a process for revoking access
When auditors ask "Who has Global Admin access and why?", the answer shouldn't be "We're not sure."
Insider Risk
Not every risk is external. Standing privileged access increases insider risk—whether malicious or accidental. A disgruntled employee with Global Admin can do significant damage. Even a well-intentioned admin can accidentally delete critical resources.
How to Find Drift in Your Tenant
Here's how to assess your current state using PowerShell and the Entra admin center.
List All Global Admins
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
# Get Global Admin role
$globalAdminRole = Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
# List members
Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id |
Select-Object Id, @{N='DisplayName';E={$_.AdditionalProperties.displayName}},
@{N='UserPrincipalName';E={$_.AdditionalProperties.userPrincipalName}}
For each person on this list, ask: Do they need this access today?
Check for Standing vs. Eligible Assignments
If you're using PIM, compare standing (active) assignments to eligible assignments:
# Get all active privileged role assignments
Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance |
Where-Object { $_.AssignmentType -eq 'Assigned' } |
Select-Object PrincipalId, RoleDefinitionId, AssignmentType
Standing assignments bypass PIM's just-in-time activation. Every standing assignment is a finding.
Review High-Risk Roles
Global Admin isn't the only dangerous role. Review these as well:
| Role | Risk Level | Why It Matters |
|---|---|---|
| Global Administrator | Critical | Full tenant control |
| Privileged Role Administrator | Critical | Can grant any role to anyone |
| Exchange Administrator | High | Access to all email, eDiscovery |
| SharePoint Administrator | High | Access to all files and sites |
| User Administrator | High | Can reset passwords, disable MFA |
| Application Administrator | High | Can create/modify enterprise apps |
Look for Red Flags
When reviewing assignments, watch for:
- Accounts not in your naming convention: Service accounts that slipped through
- External users with admin roles: Consultants who should have been offboarded
- Break-glass accounts used regularly: Emergency accounts should be emergency-only
- Admin roles on shared mailboxes: A common misconfiguration
Building a Sustainable Process
Finding drift once isn't enough. You need a process that prevents it from recurring.
Enable PIM for All Privileged Roles
Privileged Identity Management is the single most effective control against role drift:
- Just-in-time access: Admins activate roles when needed, for a limited time
- Approval workflows: High-risk activations require manager approval
- Access reviews: Scheduled reviews force regular cleanup
- Audit trail: Every activation is logged with justification
If you have Entra ID P2 licenses, there's no reason not to use PIM.
Establish a Maximum Admin Count
Set explicit limits: "We will have no more than 3 standing Global Admins, and they will be emergency access accounts only."
When someone requests a new standing assignment, the answer is: "You can have eligible access through PIM. Standing access requires removing someone else."
Automate Detection
Manual reviews don't scale. Whether you build your own monitoring or use a tool, you need automated detection of:
- New privileged role assignments
- Assignments that exceed time thresholds
- Assignments that weren't approved through your process
The goal is awareness. You can't fix drift you don't know about.
Review Quarterly, Minimum
At least every 90 days:
- Export all privileged role assignments
- For each assignment, verify: Is this person still employed? Do they still need this role?
- Remove anything that fails either check
- Document exceptions with business justification
The Uncomfortable Truth
Most organizations have more privileged access drift than they realize. The question isn't whether you have it—it's how bad it is and whether you're going to address it before an incident forces you to.
The good news: drift is fixable. Start with an audit. Remove what shouldn't be there. Implement PIM. Build a review process.
The bad news: drift is constant. Without continuous monitoring, you'll be right back where you started in six months.
The question isn't whether you have privileged role drift. It's whether you're going to find it before an attacker or auditor does.
TrueConfig tracks privileged role assignments as part of your security baseline. When a new Global Admin appears, when PIM gets bypassed, or when an assignment exceeds your threshold, you will know within hours, not months. See how it works