Solution Atlas
EverydayUser storyConsultative playbook

Auditors have flagged that admin access is left switched on across our estate

An auditor's report has identified dozens of permanent admin role assignments — DevOps engineers with full global admin, finance contractors with elevated privileges in Microsoft 365. The CISO wants permanent admin rights replaced by request-and-approve, with a defensible just-in-time pattern in place by year-end.

Trigger
Audit finding; cyber-insurance renewal coming up.
Good outcome
No one walks around with permanent admin rights. When an engineer needs them, they request and get them for a fixed window, and there's a record of every activation. The audit finding closes.
Discovery — signals and questions

Signals validating this story

  • ·Audit finding citing standing admin access
  • ·Cyber-insurance renewal flagging privileged access controls
  • ·DevOps engineers with Global Admin assignment
  • ·Finance and HR contractors with elevated privileges
  • ·PIM discussed but never operationalised

Discovery questions

  1. 1.What's your total Global Admin count today?

    WhySurfaces the headline metric. Auditors and insurers both ask first.

    Listen for: “more than 5” · “we have to check” · “dozens”

  2. 2.What does the cyber-insurance renewal want to see this year?

    WhyForcing function. Surfaces specific controls (PIM, MFA coverage, audit logging) that drive urgency.

  3. 3.How do you onboard and offboard privileged users today?

    WhyManual workflows usually mean dormant standing privileges accumulate.

  4. 4.What's the audit cycle — quarterly, annual, continuous?

    WhyDrives access-review cadence design.

  5. 5.Are PIM-enabled roles in use anywhere today?

    WhyTests starting point. Often a pilot exists but never reached production.

  6. 6.When a privileged user leaves, how do you know all their access has been revoked?

    WhySurfaces the offboarding control gap.

Baseline architectureTarget architecture
Baseline architecture

Standing admin role assignments accumulated over years. Manual onboarding/offboarding. Conditional Access enforces MFA but not just-in-time activation. Access reviews annual or absent. Identity Protection signals not routed to the SOC.

Typical concerns

  • ·Dozens of Global Admins; some dormant
  • ·Privileged contractors still active after assignments end
  • ·No just-in-time activation for elevated tasks
  • ·Audit reviews reactive
  • ·Identity Protection signals invisible to the SOC

Capability gaps

  • ·PIM for privileged roles
  • ·Quarterly access review cadence
  • ·Identity Protection signals into Sentinel
  • ·Joiner-Mover-Leaver process tied to identity
  • ·Conditional Access risk-aware policies
Target architecture

Entra ID P2 scoped to privileged users. PIM enforces just-in-time activation with approval workflows; standing assignments retired. Quarterly access reviews with executive sign-off. Identity Protection signals routed into Sentinel. Conditional Access risk-aware policies applied to privileged sign-ins.

Key capabilities

  • Just-in-time activation via PIM
  • No standing admin role assignments
  • Quarterly access reviews with sign-off
  • Identity Protection signals in the SOC queue
  • Risk-aware Conditional Access
Architecture decisions
  1. 1.P2 scope — privileged users only vs tenant-wide

    Privileged users only

    Fits whenCost-sensitive; auditor scope limited to elevated roles.

    Trade-offsMixed P1/P2 estate requires careful licence management.

    Tenant-wide

    Fits whenIdentity Protection signal across all users is a CISO priority.

    Trade-offsHigher per-seat cost; many users do not need P2 features.

    Default recommendationPrivileged users only. Mixed P1/P2 is supported and common.

  2. 2.PIM enforcement — hard (no standing) vs soft (audit only initially)

    Hard — eliminate standing roles

    Fits whenAuditor requires immediate posture change.

    Trade-offsOperational friction during transition; needs strong change management.

    Soft — audit + activation in parallel

    Fits whenPhased rollout; allow teams to adapt.

    Trade-offsStanding privilege persists until phase 2.

    Default recommendationSoft for the first 60 days; hard from day 61.

  3. 3.Access review cadence — quarterly vs monthly

    Quarterly

    Fits whenSustainable cadence; auditor satisfied.

    Trade-offsStale assignments may persist 90 days.

    Monthly

    Fits whenHigh-turnover environment; regulator demands.

    Trade-offsReview fatigue; risk of rubber-stamp.

    Default recommendationQuarterly with monthly review for the most-privileged tier.

Low-risk trial — proof of value

45-day PIM rollout + first access-review cycle

~6 weeks

Entra ID P2 licensed for privileged users. PIM configured for Global Admin, Privileged Role Administrator, and the top five admin roles. Access reviews scheduled for those roles with executive sign-off. Identity Protection connector to Sentinel live.

Success criteria

  • Standing Global Admin assignments reduced to two break-glass accounts
  • PIM activation logs producing audit-defensible records
  • First quarterly access review completed with executive sign-off
  • Identity Protection alerts flowing into Sentinel

InvestmentEntra ID P2 ~€8.30/user/month scoped to privileged users (~100 seats typical). Sentinel consumption for Identity Protection ingest.

Proof metrics

  • ·Standing privileged role assignments reduced by 80%+
  • ·PIM activation audit logs complete
  • ·Quarterly access reviews completed for all privileged roles
  • ·Identity Protection signals processed by SOC within SLA

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Back to Identity protection