# Overview

> **SCU Cost Estimate**&#x20;
>
> This agent typically consumes **1-3 SCUs** per analysis run, depending on the number of role assignments and service principals being analyzed.

### Introduction

Privileged Admin Watchdog helps you eliminate standing admin privileges. If you've been trying to implement zero standing privilege but don't know where to start, or want to find all the persistent admin access lurking in your environment, this agent is for you. It systematically identifies every standing administrative privilege, recommends migration to just-in-time (JIT) access, and provides the scripts and plans to make it happen.

<figure><img src="/files/5hFw6aSXrvRKw7HjvApu" alt=""><figcaption></figcaption></figure>

<div><figure><img src="/files/KnRZbkrCPZbia5TMyL6t" alt=""><figcaption></figcaption></figure> <figure><img src="/files/5ve1oVPE2MiTZqW1xLzT" alt=""><figcaption></figcaption></figure> <figure><img src="/files/gDnnrEB2NfJYs2fzFnMa" alt=""><figcaption></figcaption></figure></div>

### What It Does

* **Discovers all standing privileges** across Entra ID roles, service principals, and Azure resources
* **Identifies JIT migration candidates** showing which roles can move to PIM
* **Detects privilege creep** by tracking when permissions expand beyond original intent
* **Analyzes escalation paths** to find indirect routes to admin access
* **Enforces time-bound access** by identifying roles without expiration
* **Monitors privileged account activity** for anomalous behavior
* **Automates access certification** to ensure periodic privilege review
* **Generates de-provisioning scripts** to remove unnecessary standing access
* **Calculates risk scores** showing attack surface reduction potential
* **Provides zero trust readiness assessment** for privilege management maturity

### Use Cases

#### 1. Implementing Zero Standing Privilege

You want to eliminate all persistent admin access but don't know where you currently stand. Privileged Admin Watchdog inventories every standing privilege in your environment, categorizes them by migration difficulty, and provides a phased plan to transition everything to just-in-time access.

#### 2. Reducing Attack Surface

Persistent admin privileges are your biggest security risk. The agent identifies all standing administrative access, calculates the risk reduction from removing each one, and provides automated scripts to transition roles to PIM or remove them entirely. See exactly how much you can reduce your attack surface.

#### 3. Cleaning Up Privilege Creep

Over time, users accumulate permissions they no longer need. Privileged Admin Watchdog analyzes all role assignments, correlates with actual usage patterns, identifies dormant or excessive privileges, and recommends specific accounts for privilege reduction or removal.

#### 4. Emergency Access Management

You need break-glass accounts but want to ensure they're properly secured. The agent verifies emergency access accounts, checks that they're excluded from PIM requirements where appropriate, validates security controls (conditional access, MFA), and ensures proper monitoring.

#### 5. Zero Trust Compliance

Your organization is pursuing zero trust principles and needs to prove privilege management maturity. Privileged Admin Watchdog assesses your current state against zero trust requirements, calculates a maturity score, identifies gaps, and provides a roadmap to achieve zero standing privilege compliance.

### Why Privileged Admin Watchdog?

| The Problem You're Dealing With                                                             | How This Helps                                                                                 |
| ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| **Standing privileges everywhere**: Admins have permanent access they rarely use            | **Complete inventory**: Every standing privilege identified with JIT migration recommendations |
| **Zero standing privilege seems impossible**: Don't know where to start or what to migrate  | **Phased migration plan**: Prioritized roadmap showing which privileges to move to JIT first   |
| **Privilege creep is invisible**: Users accumulate permissions over time                    | **Automated detection**: Identifies dormant and excessive privileges for removal               |
| **Attack surface is unclear**: Don't know how much persistent admin access you have         | **Risk quantification**: Attack surface metrics and risk reduction calculations                |
| **Manual privilege reviews are painful**: Quarterly access certifications take days of work | **Automated certification**: Scripts and reports to streamline privilege review                |
| **Escalation paths are hidden**: Indirect routes to admin access aren't obvious             | **Path analysis**: Shows how users can indirectly gain privileged access                       |

### How It Works

**What goes in:**

* Entra ID role assignments (directory roles)
* PIM configurations and eligible roles
* Service principal permissions and application roles
* Application consent grants (admin and user consents)
* Privileged access logs and usage patterns
* Conditional access policies affecting admin accounts
* Administrative unit memberships
* Azure RBAC assignments (if monitoring Azure resources)
* Emergency access account configurations

**What it does:**

* Scans all role assignments across Entra ID and Azure
* Identifies which privileges are standing (permanent) vs JIT (PIM-enabled)
* Analyzes usage patterns to detect dormant privileges
* Maps privilege escalation paths (indirect admin access)
* Validates time-bound access controls
* Checks for privilege creep (expanding permissions over time)
* Assesses emergency access account security
* Calculates risk scores for each standing privilege
* Generates migration plan to JIT access models
* Creates automated de-provisioning scripts

**What you get:**

* Standing privilege inventory (complete list of persistent admin access)
* JIT migration plan with phased approach and priority rankings
* Privilege reduction metrics (attack surface before/after)
* Risk assessment scores for each standing privilege
* Automated de-provisioning scripts (PowerShell for Entra ID, Azure CLI for RBAC)
* Compliance audit report showing current state vs zero standing privilege
* Access pattern analysis (usage frequency, last use, dormant privileges)
* Privilege escalation path detection (indirect admin access routes)
* Zero trust readiness assessment with maturity scoring
* Emergency access account validation and security recommendations


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/privileged-admin-watchdog/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.