Solution Atlas
EverydayUser storyConsultative playbook

Auditors have flagged standing admin access across our estate

An auditor's report has identified dozens of standing admin role assignments — DevOps engineers with Global Admin, finance contractors with elevated privileges in M365. The CISO wants standing privilege eliminated and a defensible just-in-time activation pattern in place by year-end.

Trigger
Audit finding; cyber-insurance renewal looming.
Good outcome
PIM rolled out for privileged users, standing roles eliminated, quarterly access review cadence live.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Audit finding citing standing admin access
  • ·Cyber-insurance renewal flagging privileged access controls
  • ·DevOps engineers with Global Admin assignment
  • ·Finance and HR contractors with elevated privileges
  • ·PIM discussed but never operationalised

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.What's your total Global Admin count today?

    WhySurfaces the headline metric. Auditors and insurers both ask first.

    Listen for: “more than 5” · “we have to check” · “dozens”

  2. 2.What does the cyber-insurance renewal want to see this year?

    WhyForcing function. Surfaces specific controls (PIM, MFA coverage, audit logging) that drive urgency.

  3. 3.How do you onboard and offboard privileged users today?

    WhyManual workflows usually mean dormant standing privileges accumulate.

  4. 4.What's the audit cycle — quarterly, annual, continuous?

    WhyDrives access-review cadence design.

  5. 5.Are PIM-enabled roles in use anywhere today?

    WhyTests starting point. Often a pilot exists but never reached production.

  6. 6.When a privileged user leaves, how do you know all their access has been revoked?

    WhySurfaces the offboarding control gap.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

Standing admin role assignments accumulated over years. Manual onboarding/offboarding. Conditional Access enforces MFA but not just-in-time activation. Access reviews annual or absent. Identity Protection signals not routed to the SOC.

Typical concerns

  • ·Dozens of Global Admins; some dormant
  • ·Privileged contractors still active after assignments end
  • ·No just-in-time activation for elevated tasks
  • ·Audit reviews reactive
  • ·Identity Protection signals invisible to the SOC

Capability gaps

  • ·PIM for privileged roles
  • ·Quarterly access review cadence
  • ·Identity Protection signals into Sentinel
  • ·Joiner-Mover-Leaver process tied to identity
  • ·Conditional Access risk-aware policies
Target architecture

Entra ID P2 scoped to privileged users. PIM enforces just-in-time activation with approval workflows; standing assignments retired. Quarterly access reviews with executive sign-off. Identity Protection signals routed into Sentinel. Conditional Access risk-aware policies applied to privileged sign-ins.

Key capabilities

  • Just-in-time activation via PIM
  • No standing admin role assignments
  • Quarterly access reviews with sign-off
  • Identity Protection signals in the SOC queue
  • Risk-aware Conditional Access

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.P2 scope — privileged users only vs tenant-wide

    Privileged users only

    When it fitsCost-sensitive; auditor scope limited to elevated roles.

    Trade-offsMixed P1/P2 estate requires careful licence management.

    Tenant-wide

    When it fitsIdentity Protection signal across all users is a CISO priority.

    Trade-offsHigher per-seat cost; many users do not need P2 features.

    Default recommendationPrivileged users only. Mixed P1/P2 is supported and common.

  2. Decision 2.PIM enforcement — hard (no standing) vs soft (audit only initially)

    Hard — eliminate standing roles

    When it fitsAuditor requires immediate posture change.

    Trade-offsOperational friction during transition; needs strong change management.

    Soft — audit + activation in parallel

    When it fitsPhased rollout; allow teams to adapt.

    Trade-offsStanding privilege persists until phase 2.

    Default recommendationSoft for the first 60 days; hard from day 61.

  3. Decision 3.Access review cadence — quarterly vs monthly

    Quarterly

    When it fitsSustainable cadence; auditor satisfied.

    Trade-offsStale assignments may persist 90 days.

    Monthly

    When it fitsHigh-turnover environment; regulator demands.

    Trade-offsReview fatigue; risk of rubber-stamp.

    Default recommendationQuarterly with monthly review for the most-privileged tier.

Low-risk trial — proof of value

45-day PIM rollout + first access-review cycle

6 weeks

Entra ID P2 licensed for privileged users. PIM configured for Global Admin, Privileged Role Administrator, and the top five admin roles. Access reviews scheduled for those roles with executive sign-off. Identity Protection connector to Sentinel live.

Success criteria

  • Standing Global Admin assignments reduced to two break-glass accounts
  • PIM activation logs producing audit-defensible records
  • First quarterly access review completed with executive sign-off
  • Identity Protection alerts flowing into Sentinel

InvestmentEntra ID P2 ~€8.30/user/month scoped to privileged users (~100 seats typical). Sentinel consumption for Identity Protection ingest.

Proof metrics

  • ·Standing privileged role assignments reduced by 80%+
  • ·PIM activation audit logs complete
  • ·Quarterly access reviews completed for all privileged roles
  • ·Identity Protection signals processed by SOC within SLA

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Privileged Identity Management, Identity Protection, access reviews. Often scoped to privileged users only — mixed P1/P2 estate supported.

Why for this story

Conditional Access foundation under PIM. Everyone needs P1; only privileged users need P2.

Why for this story

Identity Protection signals route here. Among the highest-value SOC alerts in any Microsoft estate.

Back to Identity protection