“Classic administrator” roles are still valid and effective, as has already been written. Azure AD PIM does not support “classic administrator roles,” and your monitoring requests may be reserved for monitoring “Azure RBAC” permissions. Therefore, you must configure detection for suspicious changes from typical administrators. Azure Sentinel and MCAS can be used to trigger alerts when someone changes typical administrator roles: In this article, I`d like to consider some potential privileged configurations or permissions as part of the EA portal roles that could pose a security risk to your Azure workloads and work environments. In this example, I just added another user account as a “co-administrator” to the classic administrator roles. When configuring users, you can assign multiple accounts to the enterprise administrator role. However, the role of the account holder can only be one account. You can also assign a single account the role of enterprise administrator and account owner. You can have multiple service administrators for each business record. In recent years, many organizations have used the Microsoft Enterprise Agreement (EA) portal or APIs to create and set up their subscriptions.
I`m happy to provide an overview of security considerations and preventing a (potential) escalation of rights to “support” subscriptions to enterprise or EA account administrators in your organization. In addition, you will find some marginal notes about changes and differences in the management of the new Microsoft Customer Agreement (MCA) record. As a result, the following escalation trajectories could be a potential scenario when organizations assign EA portal roles to un privileged administrator accounts (for example.B. licensing or purchasing service): you can have multiple enterprise administrators in an enterprise record. You can provide read-only enterprise administrators with access. They all inherit the role of department administrator. Only one account holder is allowed per subscription. Additional rolls can be added via roll-based access or (access control (IAM)) in the Subscription tab in the upper-left corner of the Azure portal page. A work, school, or microsoft account is required for each account. For more information about administrator roles in the Azure Enterprise portal, see Azure Enterprise Agreement key administrator roles. Consider the role of “account owners”: this role has the right to “manage resources in the Azure portal” (as well as in the EA administration RBAC matrix).
This table also shows that changing the role of “account holder” is an authorization assigned to the EA portal roles “Enterprise Administrator” and “Departmental Administrators” (for accounts in their domain). . . .