GOV-07: Audit Privileged Role Assignments

Overview

Privilege creep is one of the most common identity security problems in Microsoft 365 tenants. Over time, users accumulate role assignments that were granted for a one-time task and never removed. Without a documented baseline of who should hold privileged roles, there is no reliable way to detect unauthorized or unexpected assignments.

GOV-07 establishes a governance practice with three components:

  1. Document all current holders of privileged roles across the tenant.
  2. Establish a baseline of expected, authorized role holders.
  3. Detect and review drift: any assignment that deviates from the baseline (new assignment, removed assignment, or role change) must be reviewed and either accepted or remediated.

TrueConfig creates a snapshot of privileged role assignments and uses it as the baseline for ongoing drift detection. When a new assignment appears that was not in the baseline, TrueConfig flags it for review.

This is a Level 1 (Foundation) control. It requires no premium Entra license and is advisory in nature. The primary work is documentation and review, not automated enforcement.

Note on dedicated admin accounts: this control is about auditing who holds which roles, not about how admin accounts are structured. If you are looking to require separate, dedicated accounts for administrative work, that is covered by PA-02 "Use Dedicated Admin Accounts".

Why it matters: Privilege creep happens gradually. Without a baseline of who should have admin rights, you cannot detect unauthorized role assignments. Regular auditing ensures only authorized users retain privileged access.

Prerequisites

Required Roles

  • Privileged Role Administrator or Global Administrator to read all role assignments and manage the baseline review process
  • Security Reader is sufficient for read-only auditing if a separate reviewer is assigned

Required Licenses

  • None: reading directory role assignments does not require Entra ID P1 or P2. Any Microsoft 365 or Entra ID tier supports this control.

Time Estimate

TaskDuration
Export all privileged role assignments30 minutes
Review and document expected holders (baseline creation)1-2 hours
Identify and remediate unexpected assignments30-60 minutes
Schedule recurring review cadence15 minutes
Total (initial setup)2-4 hours

Step-by-Step Instructions

Step 1: Export All Privileged Role Assignments

Start with a complete picture of every user and service principal that holds a privileged role.

Via Microsoft Entra admin center:

  1. Navigate to https://entra.microsoft.com.
  2. Go to Identity > Roles & admins > Roles & admins.
  3. For each high-privilege role listed below, click the role name and export the members list.

Key roles to audit (minimum scope):

RoleRisk Level
Global AdministratorCritical
Privileged Role AdministratorCritical
Security AdministratorHigh
Exchange AdministratorHigh
SharePoint AdministratorHigh
User AdministratorHigh
Billing AdministratorMedium
Intune AdministratorMedium
Application AdministratorMedium
Cloud Application AdministratorMedium

Via PowerShell (recommended for completeness):

Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "User.Read.All"

# Roles to include in the audit
$rolesToAudit = @(
    "Global Administrator",
    "Privileged Role Administrator",
    "Security Administrator",
    "Exchange Administrator",
    "SharePoint Administrator",
    "User Administrator",
    "Billing Administrator",
    "Application Administrator",
    "Cloud Application Administrator",
    "Intune Administrator"
)

$report = @()

foreach ($roleName in $rolesToAudit) {
    $role = Get-MgDirectoryRole -Filter "displayName eq '$roleName'" -ErrorAction SilentlyContinue
    if (-not $role) {
        # Activate the role template if not yet in the directory
        $template = Get-MgDirectoryRoleTemplate | Where-Object { $_.DisplayName -eq $roleName }
        if ($template) {
            $role = New-MgDirectoryRole -RoleTemplateId $template.Id
        }
    }
    if ($role) {
        $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id
        foreach ($member in $members) {
            try {
                $user = Get-MgUser -UserId $member.Id -Property "DisplayName,UserPrincipalName,AccountEnabled,UserType"
                $report += [PSCustomObject]@{
                    Role              = $roleName
                    DisplayName       = $user.DisplayName
                    UserPrincipalName = $user.UserPrincipalName
                    AccountEnabled    = $user.AccountEnabled
                    UserType          = $user.UserType
                    AssignmentDate    = "See Entra audit log"
                }
            } catch {
                # Handle service principals or groups
                $report += [PSCustomObject]@{
                    Role              = $roleName
                    DisplayName       = $member.AdditionalProperties["displayName"]
                    UserPrincipalName = $member.AdditionalProperties["userPrincipalName"] ?? "(non-user)"
                    AccountEnabled    = "N/A"
                    UserType          = $member.OdataType
                    AssignmentDate    = "See Entra audit log"
                }
            }
        }
    }
}

$report | Export-Csv "privileged-role-baseline.csv" -NoTypeInformation
Write-Host "Exported $($report.Count) role assignments."

Step 2: Establish the Baseline

Review the exported list and mark each assignment as authorized or unexpected.

Create a baseline document (spreadsheet or your ITSM's CMDB) with the following columns for each assignment:

ColumnDescription
RoleRole name
UserPrincipalNameAccount holding the role
DisplayNameHuman-readable name
Business JustificationWhy this person holds this role
Authorized ByManager or security team approver
Review DateWhen this assignment was last confirmed
StatusAuthorized / Under Review / Remove

For any assignment without a clear justification:

  1. Contact the account owner's manager.
  2. If no valid business need exists, proceed to Step 3 to remove the assignment.
  3. If a need exists, document it and mark as authorized.

TrueConfig: once the baseline CSV is imported into TrueConfig (or TrueConfig has scanned the tenant), it stores this snapshot as the reference point for drift detection. Future scans compare live assignments against this baseline and surface additions, removals, or changes for review.

Step 3: Remove Unauthorized Assignments

For each assignment flagged as unauthorized or expired:

Via Entra admin center:

  1. Navigate to Identity > Roles & admins > Roles & admins.
  2. Select the role.
  3. Find the user.
  4. Click Remove assignment and confirm.

Via PowerShell:

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

# Remove a specific role assignment
$role = Get-MgDirectoryRole -Filter "displayName eq 'Exchange Administrator'"
$user = Get-MgUser -UserId "user@yourtenant.com"

# Find the assignment
$member = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id |
    Where-Object { $_.Id -eq $user.Id }

if ($member) {
    Remove-MgDirectoryRoleMemberByRef -DirectoryRoleId $role.Id -DirectoryObjectId $user.Id
    Write-Host "Removed Exchange Administrator from $($user.UserPrincipalName)"
}

Important: notify the user and their manager before removing a role. Confirm no critical operational dependency will break.

Step 4: Enable Audit Log Alerts for New Role Assignments

To detect drift automatically going forward, configure an alert that fires whenever a new privileged role assignment is made.

  1. Navigate to https://security.microsoft.com.
  2. Go to Email & collaboration (or Cloud apps if using Defender for Cloud Apps) > Alert policy.
  3. Create a new alert:
    • Name: Privileged Role Assignment Alert
    • Activity: Added member to role (Entra ID audit activity)
    • Threshold: every occurrence
    • Recipients: security team inbox or SOC queue
  4. Enable the alert.

Alternatively, in Microsoft Sentinel (if deployed for GOV-04), create an analytics rule on AuditLogs | where OperationName == "Add member to role" scoped to the privileged roles list.

Step 5: Establish a Recurring Review Cadence

Drift detection is only as useful as the review frequency. Define and schedule these reviews:

FrequencyReview Scope
WeeklyAny new alerts from Step 4 (real-time drift)
MonthlyFull export and diff against baseline for high-privilege roles (Global Admin, Privileged Role Admin)
QuarterlyFull export and diff against baseline for all roles in scope
ImmediatelyAny admin departure or role transfer in HR records

Assign a named owner (for example, the Security Administrator) to complete each review and update the baseline document.

Verification Checklist

  • All privileged role assignments exported and documented in the baseline
  • Every assignment in the baseline has a named business justification and approver
  • Unauthorized or expired assignments removed
  • Alert configured for new role assignments (Step 4)
  • Recurring review cadence defined and scheduled
  • TrueConfig baseline snapshot up to date (reflects current authorized state)
  • At least one full review cycle completed since baseline creation

Troubleshooting

Issue: Role Members Include Service Principals or Groups

Cause: Applications and groups can hold directory roles. The PowerShell in Step 1 handles this with the catch block, but the output shows OdataType instead of a UPN.

Solution:

  1. For service principals: identify the application by its display name from AdditionalProperties["displayName"]. Confirm the application legitimately needs the role.
  2. For groups assigned to roles: enumerate the group's membership separately to understand who effectively holds the role. Group-based role assignments require Entra ID P2 for privileged roles.

Issue: Role Assignment Cannot Be Removed

Cause: The assignment may be protected (for example, the last Global Administrator in the tenant), or it may be a PIM eligible assignment rather than an active assignment.

Solution:

  1. For the last Global Administrator: ensure at least one other authorized Global Administrator exists before removing.
  2. For PIM eligible assignments: navigate to Identity Governance > Privileged Identity Management > Microsoft Entra roles to manage eligible assignments separately from active assignments. Both must be included in the audit scope.

Issue: Audit Log Does Not Show When an Assignment Was Made

Cause: Entra ID audit logs are retained for 30 days by default (7 days for free tier). Older assignments may predate the log window.

Solution:

  1. For historical assignments, rely on the business justification process in Step 2 rather than log evidence.
  2. Going forward, integrate audit logs into Log Analytics or a SIEM for longer retention. This also supports the alert rule in Step 4.

Issue: Baseline Drifted Too Far from Reality

Cause: Baseline was not updated after intentional role changes made during incidents, projects, or onboarding.

Solution:

  1. Run a fresh export (Step 1).
  2. Compare against the baseline using Compare-Object in PowerShell or a diff tool.
  3. For each difference, determine whether it was authorized (update the baseline) or unauthorized (remove the assignment).
  4. Re-import the updated baseline into TrueConfig to reset the drift detection reference point.

Best Practices

  1. Treat the baseline as a living document: update it every time an authorized role change is made, not only at quarterly review time.

  2. Prefer narrow roles over Global Administrator: document the minimum role that covers the actual business need. For example, Exchange Administrator instead of Global Administrator for mailbox management tasks.

  3. Combine with PIM for higher-privilege roles: while PIM (PA-04 "Require PIM for All Privileged Roles") requires Entra ID P2, it provides just-in-time activation that greatly reduces the standing-access footprint that GOV-07 needs to audit.

  4. Include eligible PIM assignments in scope: an eligible PIM assignment is not immediately active, but it represents a potential privilege and must be included in the baseline and drift detection.

  5. Tie role reviews to HR offboarding: the most reliable trigger for removing a role assignment is a confirmed departure or transfer. Integrate the role audit step into your offboarding checklist.

Related Controls

  • PA-02: Use Dedicated Admin Accounts (separate account strategy for privileged work)
  • PA-04: Require PIM for All Privileged Roles (just-in-time activation to reduce standing access)
  • GOV-04: Automate Threat Response with SOAR (elevated privilege abuse is a common high-risk detection trigger)

Revision History

DateVersionAuthorChanges
2025-01-071.0TrueConfigInitial release