Permissions

Overview

This page describes the permissions and access model for this agent. The agent uses read-only access to Microsoft Entra ID role assignments, Privileged Identity Management (PIM) configurations, and privileged access logs through Security Copilot Plugins. It is designed to identify standing administrative privileges, assess readiness for Zero Standing Privilege (ZSP) implementation, and recommend steps to transition to Just-In-Time (JIT) access — without making any configuration changes.

How It Works

The agent connects securely to Microsoft Entra through Security Copilot Plugins to gather information about PIM configurations, privileged role assignments, and related service principals. It evaluates your environment to highlight unnecessary or persistent administrative access, detect privilege creep, and propose structured migration paths toward JIT access.

All interactions follow these principles:

  • Read-only access: The agent does not modify or remove any role assignments or configurations.

  • Least privilege: Only the roles required to read privileged access and PIM data are necessary.

  • Transparency: All data access is auditable within Microsoft Entra and aligns with Microsoft’s governance and compliance standards.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Role
Description

Privileged Role Administrator

Provides visibility into PIM role configurations and activations.

Security Reader

Grants access to security insights, privileged access logs, and audit data.

Reports Reader

Enables visibility into reporting and trend analysis for role usage.

Global Reader

Allows tenant-wide visibility for comprehensive role assessment.

Optional Roles for Azure Resource Analysis

Role
Description

Reader (Azure Subscription Level)

Enables analysis of standing privileges in Azure RBAC assignments.

These roles follow the principle of least privilege. Assign the Azure Reader role only if you plan to include Azure RBAC analysis.

Data Access Transparency

The following table outlines what data the agent can access and its purpose.

Data Type
Access Level
Purpose

Privileged role assignments

Read-only

To identify standing privileges and over-assigned administrative access.

PIM configurations and activations

Read-only

To evaluate readiness for JIT and Zero Standing Privilege.

Service principals and app registrations

Read-only

To detect automation and service accounts requiring standing permissions.

Audit and privileged access logs

Read-only

To trace historical activations, identify anomalies, and validate compliance.

Data handling:

  • The agent does not modify, delete, or export data outside the tenant boundary.

  • All access occurs through Security Copilot Plugins using delegated or application-level permissions.

  • All activity is logged in Microsoft Entra audit logs for traceability and compliance validation.

Agent Settings

When running the agent, you can configure parameters to customize analysis and migration recommendations.

Setting
Example
Description

TimeRange

30, 90, or 2025-01-01/2025-03-31

Defines the analysis window for PIM and privileged access data.

IncludeAzureRBAC

true

Includes Azure role-based access control (RBAC) data in the analysis.

OutputFormat

summary or detailed

Specifies the detail level of the generated report.

MigrationMode

simulation or plan

Determines whether the agent performs readiness assessment or generates migration plans.

Example Queries

  • "Find all standing admin privileges"

  • "Create a plan to implement zero standing privilege"

  • "Identify privilege creep in my environment"

  • "Generate scripts to remove unnecessary admin access"

  • "Assess zero trust readiness for privilege management"

Migration Considerations

Before implementing Zero Standing Privilege or JIT access recommendations, review and plan carefully:

Area
Recommendation

Emergency access accounts

Verify that break-glass accounts remain functional and exempt from JIT workflows.

Pilot testing

Test JIT activation workflows with a small group of users before broad rollout.

PIM approvers

Ensure approver configurations are set for critical roles.

Automation accounts

Validate that service principals retain appropriate standing permissions if required for automation.

Change communication

Inform affected administrators and teams before implementing role restrictions.

Workflow validation

Confirm activation requests, MFA enforcement, and approval processes work as expected.

The agent provides structured recommendations, including:

  • Migration priority rankings: Identifies quick wins first, complex migrations later.

  • Service account detection: Flags non-interactive accounts unsuitable for JIT access.

  • Emergency access validation: Identifies and preserves break-glass accounts.

  • Automation account handling: Highlights service principals that require standing privileges.

Security and Compliance Considerations

  • All communication through Security Copilot Plugins is encrypted using HTTPS and authenticated via Microsoft identity services.

  • The agent adheres to Microsoft’s zero trust and least privilege principles.

  • Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

  • Confirm that the administrator account has the required roles assigned.

  • Run the agent to identify standing privileges and generate your ZSP readiness report.

  • Review the agent’s migration recommendations in Security Copilot before implementing JIT or PIM changes.

PreviousOverviewNextChangelog

Last updated

Was this helpful?