Least Privilege

access

Security principle that grants users only the minimum access rights necessary to perform their job functions.

What is Least Privilege?

Least privilege limits the blast radius of account compromise by ensuring users can only access what they need. Rather than granting broad admin rights "just in case," access is granted for specific tasks and revoked when no longer needed. This requires understanding role requirements, regular access reviews, and tooling to manage granular permissions.

In Microsoft 365

Azure AD provides granular administrative roles instead of using Global Administrator for everything. Custom roles can be created for specific scenarios. PIM adds time-limiting to the equation. Entitlement management automates access packages for project-based access.

Examples

  • 1Using User Administrator instead of Global Administrator
  • 2Custom role for specific Teams management tasks
  • 3Time-limited project access through entitlement management

Related TrueConfig Controls

These controls help implement and verify least privilege in your Microsoft 365 environment.

PA-01Limit Global Administrators to 2-4PA-02Use Dedicated Admin AccountsPA-04Require PIM for All Privileged Roles

Frequently Asked Questions

What is Least Privilege?
Security principle that grants users only the minimum access rights necessary to perform their job functions.
How does Least Privilege work in Microsoft 365?
Azure AD provides granular administrative roles instead of using Global Administrator for everything. Custom roles can be created for specific scenarios. PIM adds time-limiting to the equation. Entitlement management automates access packages for project-based access.
What are examples of Least Privilege?
Examples of Least Privilege include: Using User Administrator instead of Global Administrator, Custom role for specific Teams management tasks, Time-limited project access through entitlement management.
Which TrueConfig controls relate to Least Privilege?
TrueConfig controls related to Least Privilege include: PA-01, PA-02, PA-04. These controls help implement and verify least privilege in your environment.

Related Terms

Privileged Identity Management

(PIM)

Just-in-time privileged access service that enables time-limited, approval-based activation of administrative roles.

Role-Based Access Control

(RBAC)

Access control method that assigns permissions to roles rather than individual users.

← Back to GlossaryBrowse Controls →