# Permissions ### Overview This page describes the permissions and access model for this agent.\ The agent uses **read-only access** to Microsoft Entra ID role assignments, Privileged Identity Management (PIM) configurations, and privileged access logs through **Security Copilot Plugins**.\ It is designed to identify standing administrative privileges, assess readiness for Zero Standing Privilege (ZSP) implementation, and recommend steps to transition to Just-In-Time (JIT) access — without making any configuration changes. *** ### How It Works The agent connects securely to Microsoft Entra through Security Copilot Plugins to gather information about PIM configurations, privileged role assignments, and related service principals.\ It evaluates your environment to highlight unnecessary or persistent administrative access, detect privilege creep, and propose structured migration paths toward JIT access. All interactions follow these principles: * **Read-only access:** The agent does not modify or remove any role assignments or configurations. * **Least privilege:** Only the roles required to read privileged access and PIM data are necessary. * **Transparency:** All data access is auditable within Microsoft Entra and aligns with Microsoft’s governance and compliance standards. *** ### Required Entra ID Roles Assign the following roles to the administrator account that installs and runs the agent: | Role | Description | | --------------------------------- | --------------------------------------------------------------------------- | | **Privileged Role Administrator** | Provides visibility into PIM role configurations and activations. | | **Security Reader** | Grants access to security insights, privileged access logs, and audit data. | | **Reports Reader** | Enables visibility into reporting and trend analysis for role usage. | | **Global Reader** | Allows tenant-wide visibility for comprehensive role assessment. | #### Optional Roles for Azure Resource Analysis | Role | Description | | ------------------------------------- | ------------------------------------------------------------------ | | **Reader (Azure Subscription Level)** | Enables analysis of standing privileges in Azure RBAC assignments. | {% hint style="info" %} These roles follow the principle of least privilege. Assign the Azure **Reader** role only if you plan to include Azure RBAC analysis. {% endhint %} *** ### Data Access Transparency The following table outlines what data the agent can access and its purpose. | Data Type | Access Level | Purpose | | -------------------------------------------- | ------------ | ----------------------------------------------------------------------------- | | **Privileged role assignments** | Read-only | To identify standing privileges and over-assigned administrative access. | | **PIM configurations and activations** | Read-only | To evaluate readiness for JIT and Zero Standing Privilege. | | **Service principals and app registrations** | Read-only | To detect automation and service accounts requiring standing permissions. | | **Audit and privileged access logs** | Read-only | To trace historical activations, identify anomalies, and validate compliance. | **Data handling:** * The agent does **not** modify, delete, or export data outside the tenant boundary. * All access occurs through **Security Copilot Plugins** using delegated or application-level permissions. * All activity is logged in **Microsoft Entra audit logs** for traceability and compliance validation. *** ### Agent Settings When running the agent, you can configure parameters to customize analysis and migration recommendations. | Setting | Example | Description | | -------------------- | -------------------------------------- | ---------------------------------------------------------------------------------------- | | **TimeRange** | `30`, `90`, or `2025-01-01/2025-03-31` | Defines the analysis window for PIM and privileged access data. | | **IncludeAzureRBAC** | `true` | Includes Azure role-based access control (RBAC) data in the analysis. | | **OutputFormat** | `summary` or `detailed` | Specifies the detail level of the generated report. | | **MigrationMode** | `simulation` or `plan` | Determines whether the agent performs readiness assessment or generates migration plans. | #### Example Queries * `"Find all standing admin privileges"` * `"Create a plan to implement zero standing privilege"` * `"Identify privilege creep in my environment"` * `"Generate scripts to remove unnecessary admin access"` * `"Assess zero trust readiness for privilege management"` *** ### Migration Considerations Before implementing Zero Standing Privilege or JIT access recommendations, review and plan carefully: | Area | Recommendation | | ----------------------------- | ---------------------------------------------------------------------------------------------------- | | **Emergency access accounts** | Verify that break-glass accounts remain functional and exempt from JIT workflows. | | **Pilot testing** | Test JIT activation workflows with a small group of users before broad rollout. | | **PIM approvers** | Ensure approver configurations are set for critical roles. | | **Automation accounts** | Validate that service principals retain appropriate standing permissions if required for automation. | | **Change communication** | Inform affected administrators and teams before implementing role restrictions. | | **Workflow validation** | Confirm activation requests, MFA enforcement, and approval processes work as expected. | The agent provides structured recommendations, including: * **Migration priority rankings:** Identifies quick wins first, complex migrations later. * **Service account detection:** Flags non-interactive accounts unsuitable for JIT access. * **Emergency access validation:** Identifies and preserves break-glass accounts. * **Automation account handling:** Highlights service principals that require standing privileges. *** ### Security and Compliance Considerations * All communication through Security Copilot Plugins is encrypted using HTTPS and authenticated via Microsoft identity services. * The agent adheres to Microsoft’s **zero trust** and **least privilege** principles. * Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**. *** ### Next Steps * Confirm that the administrator account has the required roles assigned. * Run the agent to identify standing privileges and generate your ZSP readiness report. * Review the agent’s migration recommendations in Security Copilot before implementing JIT or PIM changes. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://agents.glueckkanja.com/agents/privileged-admin-watchdog/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.