Privileged Access Design
Design privileged access strategies using PIM, PAM, the enterprise access model, privileged access workstations, Azure Bastion, break-glass accounts, and tiered administration.
Privileged Access Design
Why Privileged Access Is the #1 Target
Attackers don’t need to compromise every user — they need ONE privileged account. A Global Admin in Entra ID can disable MFA, create backdoor accounts, access all mailboxes, and exfiltrate all data. A Domain Admin in Active Directory can push malware to every domain-joined device.
The security architect’s job is to make privileged access so well-protected that even if an attacker compromises a regular user account, they cannot escalate to privileged access. This requires multiple overlapping controls — no single control is sufficient.
PIM: Privileged Identity Management
PIM is the cornerstone of privileged access design in Microsoft Entra. It implements the principle of just-in-time (JIT) access — administrators don’t have permanent privileged roles. Instead, they have eligible assignments that they activate when needed.
Eligible vs Active Assignments
Eligible assignment: The user CAN activate the role but doesn’t HAVE it by default. They must go through the activation process (MFA, justification, approval) each time. The role is dormant until activated.
Active assignment: The user HAS the role permanently. They don’t need to activate it. This is what most organizations use today — and it’s the problem PIM solves.
The shift: Move from “200 people have permanent admin roles” to “200 people are eligible for admin roles, and at any given time, only 3-5 have active sessions.”
PIM Activation Workflow
- User requests activation — selects the role, duration, and provides justification
- MFA challenge — must prove identity with a strong authentication method
- Approval (optional) — if configured, designated approvers must approve the request
- Time-bound activation — the role activates for a maximum duration (e.g., 4 hours, 8 hours)
- Automatic deactivation — when the time expires, the role is automatically removed
- Audit trail — every activation, approval, and deactivation is logged
PIM Design Decisions
Maximum activation duration: How long can a role stay active? 8 hours is a common default. Shorter for the most sensitive roles (Global Admin: 2 hours), longer for roles that support extended operational tasks.
Require approval: For the most sensitive roles (Global Admin, Privileged Role Administrator, Exchange Administrator), require approval from a security team member. For operational roles (Helpdesk Administrator), MFA and justification may be sufficient.
Require justification: Always. Every activation should include a text justification that appears in the audit log — “Investigating incident #4521” or “Deploying quarterly policy update.” This creates accountability.
Notification: Send email notifications to security team and role owners when sensitive roles are activated. If someone activates Global Admin at 3 AM with justification “testing,” the security team should know immediately.
PAM: Privileged Access Management
While PIM handles role elevation (who you are in the system), PAM handles task approval (what you’re allowed to do). PAM in Microsoft 365 requires approval before specific administrative tasks can be executed, even if the admin already has the role.
Example: An Exchange administrator has the role to manage mailboxes. With PAM, they can manage most mailboxes normally. But to access the CEO’s mailbox or create a journal rule (which could be used for data exfiltration), they must submit a PAM request and get approval.
PIM + PAM together: PIM says “you can become an Exchange Admin for 4 hours.” PAM says “even as an Exchange Admin, you need approval for this specific high-risk task.”
| Aspect | PIM (Privileged Identity Management) | PAM (Privileged Access Management) |
|---|---|---|
| Scope | Role-level — controls who can activate an admin role | Task-level — controls who can execute a specific admin action |
| How It Works | Eligible users request role activation with MFA, justification, and optional approval. Time-bound. | Admin with an active role requests approval for a specific high-risk task. Approval grants access for a limited time. |
| Controls When | Access to the role itself — before you can do anything | Access to specific actions within a role — after you already have the role |
| Platform | Entra ID roles and Azure resource roles | Microsoft 365 workloads (Exchange, SharePoint, Teams) |
| Best For | Reducing standing admin access — implementing just-in-time elevation | Adding an extra approval layer for the most sensitive admin operations within M365 |
Enterprise Access Model
The enterprise access model (which evolved from the legacy Active Directory tiered administration model) defines three access planes with strict separation:
Control Plane
The highest tier. This is where identity systems, security tools, and management platforms live. Compromise here means the attacker controls everything.
Assets: Entra ID (Global Admin, Privileged Role Admin), Active Directory Domain Controllers, security tools (Sentinel, Defender), PKI infrastructure, PIM itself
Protection: Phishing-resistant MFA only, PAW devices, PIM with approval, maximum monitoring, dedicated admin accounts
Management Plane
The middle tier. This is where IT management tools and server administration happens.
Assets: Azure subscriptions, Intune, Exchange administration, SharePoint administration, on-premises servers, management tools (SCCM, WSUS)
Protection: MFA required, PAW recommended, PIM for role activation, separate admin accounts from control plane
Workload Plane (User Access)
The lowest tier. This is where regular users access their applications and data.
Assets: Microsoft 365 apps, line-of-business applications, user endpoints, data
Protection: Standard security controls (MFA, device compliance, Conditional Access)
The Critical Rule: Never Cross Tiers
A control plane admin account must NEVER be used from a workload-plane device (a regular laptop). If the regular laptop is compromised, the attacker captures the control plane credentials. This is why separate admin accounts and PAWs exist.
Privileged Access Workstations (PAWs)
A PAW is a dedicated, hardened device used exclusively for administrative tasks. It’s not the admin’s daily laptop — it’s a separate device with a locked-down configuration that minimizes the attack surface.
PAW Design Principles
- Dedicated hardware — separate physical device or a hardened VM with no personal use
- Locked-down configuration — no email, no web browsing (except admin portals), no personal applications
- Hardware security — TPM 2.0, Secure Boot, BitLocker encryption, Windows Hello for Business
- Intune managed — strictest compliance policy, application control (only admin tools allowed)
- Network restrictions — can only connect to admin portals and management endpoints
- Conditional Access — admin portals require PAW device compliance as a grant control
Why PAWs Are Non-Negotiable for Control Plane Access
Without a PAW, the admin uses their regular laptop. That laptop has email (phishing vector), a web browser (malware delivery), and personal applications (unknown risk). If any of these vectors compromises the laptop, the attacker captures admin credentials during the next PIM activation. The PAW eliminates these vectors entirely.
🏛️ Torres Designs PAWs for Classified Systems
Commander Torres is designing privileged access for the Department of Federal Systems. The department manages classified systems that require the strictest access controls.
“Our biggest risk is credential theft from admin workstations,” Torres tells Colonel Reeves. “Last year, a contractor’s laptop was compromised through a phishing email. The contractor had domain admin credentials cached on the device. The attacker used those credentials to access three classified networks.”
Torres’s PAW design:
- Hardware tokens (FIDO2) only — no software-based authentication on PAWs
- Air-gapped PAWs for Tier 0 — classified system domain controllers are managed from PAWs that connect only to the classified management network
- Cloud-managed PAWs for Tier 1 — Azure and M365 admin tasks use Intune-managed PAWs with Conditional Access requiring the specific PAW device group
- No email, no browser, no internet on Tier 0 PAWs — the device connects ONLY to management endpoints
- Locked cabinet storage — PAWs are stored in a secured cabinet when not in use. Check-out requires badge scan and manager approval.
“What about remote administration?” Specialist Diaz asks. “Some of our admins work from field offices.”
“Field offices get cloud-managed PAWs shipped to them,” Torres replies. “Azure Bastion handles remote access to Azure VMs — the admin connects to the Bastion service through the PAW’s browser, and Bastion proxies the RDP/SSH session. No direct RDP exposure, no management ports open on the VMs.”
Azure Bastion: Secure Administrative Access
Azure Bastion provides secure RDP and SSH connectivity to Azure virtual machines through the Azure portal. It eliminates the need to expose management ports (3389 for RDP, 22 for SSH) to the internet.
How Bastion works:
- Admin connects to the Azure portal (through their PAW, with MFA via PIM)
- Selects the target VM and clicks “Connect via Bastion”
- Bastion proxies the RDP/SSH session through a TLS-encrypted tunnel
- The VM has NO public IP address and no open management ports
Architecture benefit: Even if an attacker scans the entire internet, they cannot find your VMs’ management ports because those ports aren’t exposed. The only path to admin access goes through Azure portal → Bastion → private VM.
Break-Glass (Emergency Access) Accounts
Break-glass accounts are your insurance policy. They exist for one purpose: restoring access when all other admin accounts are locked out.
When Break-Glass Accounts Save You
- A CA policy misconfiguration blocks all admin sign-ins
- The MFA provider experiences an outage
- PIM is misconfigured and no one can activate Global Admin
- A malicious admin locks everyone out (insider threat)
- Federation service failure prevents all federated authentication
Break-Glass Account Design
Minimum two cloud-only accounts — redundancy in case one is compromised or unavailable. Must not depend on federation or on-premises AD. Use the .onmicrosoft.com domain.
Permanent Global Admin — these are the ONLY accounts with permanent (not PIM-eligible) Global Admin assignment.
At least one excluded from ALL Conditional Access policies (including MFA) — this account is the ultimate recovery path when CA or MFA systems are broken. It must work regardless of which system has failed. Compensating controls: physical password security and intensive monitoring.
The second account can use phishing-resistant MFA (e.g., FIDO2 security key stored in a physical safe) — this provides credential diversity. If the password-only account is compromised, the FIDO2-protected account is still secure. If FIDO2 infrastructure fails, the password-only account still works.
Strong credentials — long, complex passwords (25+ characters) stored in a physical safe. Split the password across two sealed envelopes in different physical locations.
Monitoring — configure Sentinel or Defender to alert immediately if a break-glass account signs in. Any use outside a declared emergency should trigger an investigation.
💰 Ingrid Implements PIM for 200 Admin Roles
Ingrid is rolling out PIM across Nordic Capital Partners. She’s discovered 200 users with permanent admin roles — many haven’t used their admin access in months.
“This is a disaster waiting to happen,” Ingrid tells Harald Eriksen. “We have 14 permanent Global Admins. Most of them are IT managers who needed Global Admin once for a specific project and never had it removed. Any one of these accounts gets compromised, and the attacker owns our entire tenant.”
Ingrid’s PIM rollout:
- Phase 1 — Inventory and classify: Map all 200 admin assignments. Identify which are actively used (last 30 days) and which are stale.
- Phase 2 — Break-glass first: Create two break-glass accounts BEFORE removing any permanent assignments. Store passwords in the company’s physical vault (split envelopes, two signatories to open). Configure Sentinel alerts for break-glass usage.
- Phase 3 — Convert to eligible: Move all 200 assignments from permanent to eligible. Start with the least-used roles.
- Phase 4 — Configure PIM policies:
- Global Admin: max 2-hour activation, require approval from Security team, require phishing-resistant MFA, require justification
- Exchange/SharePoint Admin: max 4-hour activation, require MFA and justification (no approval — too frequent for approval workflows)
- Helpdesk Admin: max 8-hour activation, require MFA and justification
- Phase 5 — Monitor and tune: Watch for activation patterns. If the Helpdesk team activates their role 15 times a day, the activation duration is too short or the role should be restructured.
“After Phase 3, we went from 200 permanent admin assignments to 2 — the break-glass accounts,” Ingrid reports to the board. “At any given time, we have 3-5 active admin sessions instead of 200 standing privileged accounts.”
SC-100 Exam Strategy: Privileged Access
Ingrid is configuring PIM for Global Administrator at Nordic Capital Partners. The role is the most sensitive in the tenant. Which PIM configuration best protects this role?
An organization's security architect discovers that server administrators use their regular corporate laptops (which have email and web browsing) to RDP into production domain controllers. What is the PRIMARY risk and the correct mitigation?
A security architect is setting up break-glass accounts. Which configuration is correct?
🎬 Video coming soon
Next up: Regulatory Compliance and Data Sovereignty — We’ll design compliance architectures that translate legal requirements into technical controls, covering Purview Compliance Manager, data residency, sovereign clouds, and regulatory frameworks.