A compromised administrator account or an admin becoming a disgruntled ex-employee is a source of serious risk to a business. This is because traditionally admins can do whatever they want, whenever they want. To address this issue, Microsoft have developed Privileged Access Management.
What is Privileged Access Management?
Privileged Access Management works on the principle of zero standing access. That means that admins don’t have the ability to perform potentially damaging actions all of the time.
When they need to perform a task that may expose sensitive data or has potential to cause a lot of damage, they will be given just enough access to complete the task. And even then, only for a specific time and only following an audited approval process.
You can define which tasks require a privileged access request via the admin portal.
When admins want to perform one of these tasks, they can raise their requests for access via the portal or via Powershell.
A sample Powershell request to perform tasks requiring privileged access approval looks like this:
New-ElevatedAccessRequest -Task 'Exchange\New-JournalRule' -Reason 'Setting Journal per request.' -DurationHours 4
Requests can be automatically or manually approved, and requestors are notified of the approval outcome via email. All privileged access requests and approval process information is recorded for internal reviews and auditors.
Privileged Access Management License requirements
Privileged access management requires Microsoft 365 E5, Office 365 E5 or the standalone Advanced Compliance SKU.