Privileged Access

Administrative role and privilege management

8controls
6critical
3auto-remediable
PA-01CriticalLevel 1

Limit Global Administrators to 2-4

Global Administrators have unrestricted access to your entire tenant. Too many increases your attack surface; too few risks lockout. Microsoft recommends 2-4 permanent Global Admins for most organizations.

PA-02HighLevel 1

Use Dedicated Admin Accounts

When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.

PA-03CriticalLevel 1Auto-fix

Configure Emergency Access Accounts

Emergency access accounts prevent permanent lockout if MFA systems fail, Conditional Access is misconfigured, or a federation service goes down. Microsoft recommends 2 accounts with FIDO2 keys stored securely offline.

PA-01-L2CriticalLevel 2Auto-fix

Eliminate Permanent Global Administrators

Permanent Global Admin accounts are always-on attack targets. With PIM, admins activate access only when needed, reducing the attack window from 24/7 to minutes per day. This is a fundamental Zero Trust control.

PA-04CriticalLevel 2Auto-fix

Require PIM for All Privileged Roles

PIM enforces just-in-time access with audit trails. Instead of "always admin," users activate roles when needed, provide justification, and get approval for sensitive roles. This reduces risk and creates accountability.

PA-05CriticalLevel 2

Require Phishing-Resistant MFA for Admins

Traditional MFA (push notifications, SMS) can be bypassed through social engineering and MFA fatigue attacks. Phishing-resistant methods like FIDO2 keys cannot be phished because they require physical presence and cryptographic proof.

PA-06CriticalLevel 3

Require FIDO2 Security Keys for Administrators

Hardware security keys provide the highest authentication assurance. Unlike software-based MFA, keys cannot be phished, cloned, or remotely compromised. Level 3 mandates this protection for all admin access.

PA-07HighLevel 3

Enable Continuous Access Evaluation

Standard OAuth tokens are valid for 60-90 minutes. If an admin is compromised and you disable their account, the attacker still has that time window. CAE revokes access within seconds of critical events.

Ready to implement privileged access controls?

TrueConfig continuously monitors your Microsoft 365 tenant and helps you maintain compliance with these security controls.