PA-01-L2: Eliminate Permanent Global Administrators
Frequently asked questions about implementing and managing the PA-01-L2 security control in Microsoft 365 and Entra ID.
QWhat is PA-01-L2 (Eliminate Permanent Global Administrators)?▼
PA-01-L2 is a security control that permanent global admin accounts are always-on attack targets. with pim, admins activate access only when needed, reducing the attack window from 24/7 to minutes per day. this is a fundamental zero trust control. It requires that zero permanent human global administrator assignments and all global admin access is through pim eligible assignments, only emergency access accounts retain permanent global admin.
QWhy is Eliminate Permanent Global Administrators important for Microsoft 365 security?▼
Permanent Global Admin accounts are always-on attack targets. With PIM, admins activate access only when needed, reducing the attack window from 24/7 to minutes per day. This is a fundamental Zero Trust control.
QHow do I implement PA-01-L2 in my tenant?▼
Converts permanent assignments to PIM eligible with preview and approval
QWhat license do I need for PA-01-L2?▼
This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.
QWhich security baseline includes PA-01-L2?▼
PA-01-L2 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
QWhy is PA-01-L2 marked as critical severity?▼
PA-01-L2 is rated critical because failure to implement this control significantly increases the risk of security incidents. Permanent Global Admin accounts are always-on attack targets. With PIM, admins activate access only when needed, reducing the attack window from 24/7 to minutes per day. This is a fundamental Zero Trust control.
6
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial