PIM for Emergency Access Accounts

Posted by Fabulous_Cow_4714@reddit | sysadmin | View on Reddit | 4 comments

This is what Microsoft official documentation says:

In Microsoft Entra Privileged Identity Management, you should make the Global Administrator role assignment active permanent rather than eligible for your emergency access accounts.

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#configuration-requirements

Others say avoid using any kind of PIM for break glass accounts.

Is there some risk of using permanently active PIM that is greater than any auditing benefit of using It instead of directly assigning the accounts as global admins?

[-]

DanielWW2@reddit

If PIM breaks because of some issue with Azure, you are locked out.
Having an emergency (break glass) account, always active as GA, circumvents that. Like that you can regain access.

Alapaloza@reddit

You technically do it through pim if you have it enabled. Just making it active and permanent instead of elevating and time bound. It has benefits as traceability etc.

Fabulous_Cow_4714@reddit (OP)

I have seen email alerts saying a role was assigned outside of PIM.

That indicates that you can still directly assigning even when PIM is activated.

There can also be accounts created before PIM was implemented.

weekendclimber@reddit

If you use PIM, it's for everyone. You can't really use it for some and not other accounts. The guidance is telling you how to setup the GA break glass accounts when PIM is enabled.