Privileged roles should not have permanent access at subscription/RG level

What does this mean?

Permanent privileged role assignments create a standing attack surface. If an account with permanent Owner or Contributor access is compromised, the attacker immediately has full control. This recommendation enforces just-in-time (JIT) access through PIM.

Benefits of implementation

• Reduces standing privileged access to near-zero
• Limits the blast radius of compromised accounts
• Provides audit trail of privilege activation

Drawbacks and considerations

• Requires Azure AD PIM licensing (P2)
• Additional friction for administrators needing frequent access
• Emergency access scenarios need break-glass account procedures

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.