Bsure Documentation
back to bsure.io
  • Welcome
  • Installation
    • Overview
    • Prerequisites
    • Installation Instructions
  • Technical Description
    • Design Principles
    • Azure Managed Application
    • Permissions Required
    • Security​
      • Public IP and Storage Account Key considerations
    • Technical Architecture
    • Dataflow and visibility
  • User guides
    • Overview
    • Main Dashboard
    • Users
      • Dashboard
      • Members
      • Guests
      • Data Quality
      • Properties
      • Sign-in Map
      • Sign-in Locations
      • Drilldown
    • Microsoft Licenses
      • Cost Dashboard
      • Licenses Overview
      • Subscription Overview
      • Inactive and Disabled Users
      • Overlapping licenses
      • Cost Allocation
      • Drilldown
      • Price Settings
      • Add Your Own Prices
        • Average SKU Price Calculator
    • Applications
      • Usage
      • Cost
      • Sign-in Locations
        • Successful sign-ins from blocked countries?
    • Groups
    • Security
      • Dashboard
      • Authentiation Methods
      • Entra ID Roles
      • Service Principals
    • Devices
      • Windows Dashboard
      • Windows Inactive Devices
      • Windows OS
      • Windows Management
      • Devices per Person
      • Drilldown
    • Share the Power BI App
      • Share App only
      • Give Access to the Power BI Workspace
      • Share the Storage Account Access Key
      • Share with External Users
    • Update Power BI App
    • Glossary
  • Pricing & Billing
    • Pricing
    • Billing
  • Support
    • Support
    • Frequently Asked Questions
    • Troubleshooting
    • Release Notes
    • New features
      • User purpose property
  • Partners
    • Partner sell an offering including the app to the customers
    • Customer have a strict data protection regime
    • Partner uses the app without customer knowledge
    • General considerations
  • Policies
    • Privacy Policy
    • Terms & Conditions
  • RECOMMENDED ACTIONS
    • Recommended actions
      • Review Entra ID role assignments and create a strategy to offer such roles
      • Review and remove all inactive or unwanted accounts
        • Bulk deletion of users in Entra ID
      • Protect all users with MFA
      • Review and clean up applications with excessive permissions
Powered by GitBook
On this page
  • Problem description:
  • General considerations:
  • Considerations assigning roles to different identities:
  • How to clean-up your environment:
  1. RECOMMENDED ACTIONS
  2. Recommended actions

Review Entra ID role assignments and create a strategy to offer such roles

Review all privileged accounts and remove any unnecessary permissions

PreviousRecommended actionsNextReview and remove all inactive or unwanted accounts

Last updated 9 days ago

Problem description:

Most organizations assign the to users, groups and service principals to operate their environment. It is common that highly privileged roles with excessive permission levels are used for performing daily tasks.

Microsoft has made over 30 different built-in roles to give administrators just enough privileges to do their job, but most organizations have adopted just a few of them.

Users or service principals holding these roles are rarely reviewed and from a security perspective this is a huge problem. There are also some decisions to be made when it comes to how you distribute these roles and how you protect them.

General considerations:

Highly privileged roles should be assigned individual identities using and it is also a good practice to enforce for activating such roles.

These users should be cloud native and you should configure .

These features requires an Entra ID P2 license per user benefitting from PIM and Identity Protection.

All identities having privileged roles should be . Licensing these identities with access to services like Exchange Online or Teams should be avoided and handled with care.

Due to the nature of newer web browsers it is not recommended to use the same computer for administrative tasks as daily consumption of email and teams. Most web browsers have support for running several profiles running different user contexts. When clicking an external link you must avoid that the link starts in a browser signed in as an elevated user.

Considering implementing is a good idea to avoid usability of stolen credentials and unintentional behaviour like a click on an external link ending up in an elevated browser.

Considerations assigning roles to different identities:

Personal user accounts:

Entra ID roles are often assigned to normal user accounts on a permanent basis, meaning that if a user falls for a phishing attack or clicks on a malicious link in teams or email the result could be catastrophic. Users change roles over time and if a user needed Sharepoint Administrator role years ago we find that most organizations don’t have good routines in removing this access when no longer needed. If you enforce proper security measures on these "admin" users to protect Entra ID, usability on these accounts would be limited.

Personal administrator accounts:

Guest accounts:

Even guest accounts can be assigned these roles, but these accounts are, in most organizations, unmanaged. If you assign permissions to a guest account, you automatically trust the organization, from where the account resides, to have very good on- and off-boarding routines and you trust their security setup. We’ve had several major incidents in Norway where guest accounts were compromised and resulted in organizations being attacked.

Groups:

Service principals:

It is common to use SaaS solutions and integrate them into your environment. Migration tools, backup tools and normal production software often need some sort of access into your environment to function properly. Very often providers of such software ask for way more permissions than they need. We’ve seen follow me print solutions holding SharePoint administrator role and systems controlling meeting room panels holding full access permissions to all mailboxes within organizations. If the application provider gets a security breach, how exposed are you, since the attacker then will have access to your environment with the permissions given the application?

As a side comment it is also important to evaluate from where these service principals sign in in from. If you gave an application provider a service principal to consume your data, you should evaluate from where the application is processing your data. Is your data protection officer informed?

How to clean-up your environment:

  1. Remove roles and permissions from users, groups and service principals not needing them.

    • Provide just-in-time privileged access to Microsoft Entra ID and Azure resources

    • Assign time-bound access to resources using start and end dates

    • Require approval to activate privileged roles

    • Enforce multifactor authentication to activate any role

    • Use justification to understand why users activate

    • Get notifications when privileged roles are activated

    • Conduct access reviews to ensure users still need roles

    • Download audit history for internal or external audit

    • Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments

  2. Review your current strategy on how you assign roles and permissions to your users:

    • Ensure separate administrative accounts to operate your environment

    • Don’t give privileged access to guest accounts unless you have proper governance on such users or set a short timeframe for the eligible role access

    • Only use groups for lower privileged roles, and if you use groups, you should create an access review policy on them.

It is considered better to use separate dedicated personal administrator accounts to operate the environment. But technicians could still end up clicking a link ending up in the web browser that holds privileged permissions. These administrator accounts also tend to be unmanaged, and based on our experience, it’s normal to find several accounts not registered MFA or not been used for a very long time with permanent assigned privileged roles. It is also considered a security risk to license these accounts to Exchange and/or Teams. The requirement of in combination with the usage of should be the minimum requirement for such users.

If You decide to assign Entra ID roles to guest accounts, you must use and set the eligibility to each role to expire in the very near future. It could also be a good idea to require an before elevating the guest user.

Assigning roles to groups is also a common way of distributing permissions. It is an easy way of distributing permissions, but it is harder to figure out which user has which role and there is some downsides, like the possibility for self elevation from lower permissions and running automated access reviews on Entra ID roles. If you still want to use groups please read and follow best practices from Microsoft:

You should also carefully review membership in these groups on a schedule. is a great way to review membership in such groups.

If You still want to use groups for eligible role assignments, you should require additional on highly privileged roles.

Review your current environment by using the

Ensure that all accounts holding such permissions are protected with or ensure to protect them with conditional access policies ensuring that they can only be used from a specific ip or other measures that decreases usability of the account.

Ensure that all privileged accounts holds an Entra ID P2 license and configure to get these features:

Consider protecting usage of users with privileged roles by leveraging a and configure conditional access to only allow sign-ins from that device. This could be a virtual machine in Azure or a

built-in Entra ID roles
Privileged Identity Management (PIM)
approval
Identity Protection
protected with phishing resistant MFA
Privileged Access Workstation (PAW)
phishing resistant MFA
Privileged Identity Management (PIM)
Privileged Identity Management (PIM)
approval
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept#how-are-role-assignable-groups-protected
Access reviews
approval
Bsure Insights - Security - Entra ID Roles report
phishing resistant MFA
Microsoft Entra Privileged Identity Management
Privileged Access Workstation
Windows 365 device