PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 10 min read

Entra ID PIM Coverage Gaps: The Tier-0 Roles You Forgot to Put in PIM

Privileged Auth Admin
Can reset MFA for any user including Global Admins -- functionally equivalent to Global Admin in an attack
Application Admin
Can add credentials to any service principal -- enables persistent access via high-privilege app identities
16+
Entra ID built-in roles with Tier-0 equivalent escalation paths that should be PIM-protected

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

PIM deployment projects often start and stop at Global Administrator. The security team builds out the PIM workflow, tests it, trains admins, and declares victory. But the attack surface is wider. An attacker does not need Global Admin directly -- they need one account with a role that can reach Global Admin or produce Global Admin-equivalent impact. Most enterprise tenants have 8 to 15 such roles with permanent assignments outside of PIM. This guide identifies the roles that represent real escalation paths and must be brought into PIM coverage.

Tier-0 Equivalent Roles: The Escalation Paths

These roles provide Global Admin-equivalent privilege or a direct escalation path to it and must be PIM-protected: Privileged Role Administrator -- can assign and modify all other Entra ID role assignments including Global Admin. The most direct path to Global Admin without being Global Admin. Privileged Authentication Administrator -- can reset the authentication methods (password, MFA) of any user, including Global Admins. An attacker with this role can take over any account. Global Reader -- read-only across the entire tenant, but combined with other vectors provides reconnaissance. Authentication Administrator -- similar to Privileged Auth Admin but cannot modify Global Admins; still highly sensitive. Application Administrator -- can create and modify app registrations and service principals, add credentials to existing SPs, and assign permissions. Cloud Application Administrator -- similar scope to Application Administrator. Exchange Administrator -- full access to all Exchange Online mailboxes via eDiscovery-equivalent access; can read all email in the tenant. SharePoint Administrator -- full access to all SharePoint sites and OneDrive content. Security Administrator -- can modify Defender for Office 365, Defender for Endpoint, Sentinel, and Purview policies, potentially blinding the security team.

Additional High-Risk Roles to Evaluate

Beyond the highest-priority roles above, evaluate these for PIM inclusion based on your environment: Intune Administrator -- full control of Intune policies, can push malicious configurations or scripts to all managed endpoints. User Administrator -- can create users, reset passwords, and manage licenses for most users. Helpdesk Administrator -- can reset passwords for non-admin users. Groups Administrator -- can modify group memberships, including groups used for Conditional Access exclusions. Conditional Access Administrator -- can create, modify, or delete Conditional Access policies -- including adding attacker accounts to exclusion groups. Teams Administrator -- full control of Teams policies, external access settings, and channel configurations. Azure Subscription Owner (Azure RBAC role) -- full control of Azure resources; while not an Entra directory role, it is Tier-0 for Azure workloads. The classification criterion: can this role be used to access sensitive data, modify security controls, or escalate to a more privileged role within one or two steps? If yes, it should be in PIM.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Audit Your Current Non-PIM Permanent Assignments

Enumerate all permanent Entra ID role assignments and identify which are outside PIM control. PowerShell: Get-MgDirectoryRole -All | ForEach-Object { $role = $; Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id | ForEach-Object { [PSCustomObject]@{ Role = $role.DisplayName; Principal = $.AdditionalProperties.displayName; PrincipalId = $.Id; PrincipalType = $.AdditionalProperties.'@odata.type' } } } | Where-Object { $_.PrincipalType -eq '#microsoft.graph.user' } | Export-Csv permanent-role-assignments.csv. This exports all permanent user role assignments. Compare against the PIM eligible assignments: Get-MgPrivilegedAccessRoleAssignment -PrivilegedAccessId 'aadRoles' -Filter "assignmentState eq 'Eligible'" | Select-Object RoleDefinitionId, SubjectId. Any role assignment that is permanent (not PIM-eligible) for any of the Tier-0 roles listed above is a risk. Break glass accounts (2 to 3 accounts, cloud-only, password vault-stored) are the only acceptable permanent Global Admin exceptions.

PIM Configuration Requirements for Tier-0 Roles

For each Tier-0 role brought into PIM, configure activation requirements proportional to the role's risk level. Global Admin, Privileged Role Admin, Privileged Auth Admin: require phishing-resistant MFA, require approval from a separate designated approver, maximum activation duration 4 hours, require justification. Application Admin, Cloud App Admin, Exchange Admin: require MFA (phishing-resistant if available), require justification, consider approval for initial deployment then review whether approval adds delay without value, maximum activation duration 8 hours. Security Admin, Intune Admin, Conditional Access Admin: require MFA, require justification, maximum activation duration 8 hours. User Admin, Groups Admin, Helpdesk Admin: require MFA, require justification, maximum 24 hours. For all roles: enable PIM alerts -- PIM will alert you when: a role has no eligible members (only permanent), an eligible member has not activated the role in 90 days (potentially unused), the activation approval is never being triggered (potentially being bypassed). Review these alerts quarterly.

Run Access Reviews on All PIM-Protected Roles

After PIM deployment, implement quarterly Access Reviews for each protected role. Entra admin center > Identity Governance > Access Reviews > New Access Review > Review scope: Entra ID roles > select all Tier-0 roles. Reviewers: direct manager and the security team. At end of review: auto-apply to remove eligible assignments not recertified. For permanent assignments (break glass accounts): review annually with the CISO or IT Director as reviewer. The access review answers a different question from PIM activation monitoring: PIM monitoring shows whether eligible assignments are being activated, access reviews ask whether the assignment should exist at all. Both are necessary. A role that was granted for a specific project six months ago and has not been activated since then should be reviewed for removal -- the person may have moved to a different team or the project may have ended.

The bottom line

Protecting only Global Administrator in PIM while leaving other Tier-0-equivalent roles permanently assigned is a common and dangerous gap. Privileged Authentication Administrator alone is sufficient to take over Global Admin accounts by resetting their MFA. Build the complete Tier-0 role inventory, move all eligible users to PIM eligible assignments, configure proportional activation requirements, and run quarterly Access Reviews. The access review process is as important as the PIM enrollment -- it catches stale assignments that PIM activation monitoring alone will miss.

Frequently asked questions

How many permanent Global Admin accounts should a tenant have?

Two to three break-glass accounts are the recommended permanent Global Admin maximum for most tenants, with all other Global Admin access via PIM eligible assignments. Break-glass accounts should be: cloud-only (not synced from on-premises AD), not assigned to a specific person, password stored in a physical vault with controlled access, protected by at least one conditional access exclusion that allows emergency use without standard CA requirements, monitored with an immediate alert on any sign-in. Beyond break-glass, every Global Admin should have eligible-only PIM assignments with MFA and approval requirements.

Can Exchange Administrator read all email in the tenant?

Exchange Administrator has access to the Exchange admin center and eDiscovery capabilities, which can be used to search and export email across the entire organization without individual mailbox owner consent. While direct mailbox access requires using the Exchange admin center's impersonation features, the net effect is that an Exchange Administrator can access any mailbox content. This is why Exchange Administrator is a Tier-0-equivalent role for data exposure purposes -- a single compromised Exchange Admin account provides access to all organizational email.

What is the difference between Authentication Administrator and Privileged Authentication Administrator?

Authentication Administrator can reset authentication methods (password, MFA) for non-admin users -- users without any Entra ID directory role assignment. Privileged Authentication Administrator can reset authentication methods for any user, including other administrators such as Global Admins. This makes Privileged Authentication Administrator a Tier-0 role (can take over Global Admin accounts) while Authentication Administrator is a lower-tier role (cannot affect admin accounts directly). Both should be in PIM, but Privileged Authentication Administrator requires the strictest activation controls (approval, phishing-resistant MFA).

Should service accounts and managed identities also have PIM-eligible assignments instead of permanent roles?

PIM eligible assignments require user interaction for activation -- service accounts and managed identities cannot interactively activate a PIM role. Service accounts that need directory roles must have permanent role assignments. The mitigation for service accounts is different: apply Conditional Access for Workload Identities to restrict where and when service accounts can authenticate, monitor service account sign-ins for anomalies, use managed identities rather than service accounts where possible (managed identities cannot have Entra ID directory roles), and scope service account role assignments to the minimum necessary permissions rather than broad Tier-0 roles.

What is the Security Reader role and is it safe to grant broadly?

Security Reader is a read-only role that can view security alerts, security policies, threat intelligence, and security configurations across Microsoft 365 Defender, Sentinel (with the Sentinel Reader role), and related security services. It cannot make changes. For most organizations, Security Reader is safe to grant to all members of the security team, help desk staff involved in security investigations, and compliance reviewers. However, Security Reader can view sensitive security data including active security alerts, user risk scores, device compliance states, and DLP policy configurations. In highly regulated environments, access to this data may itself require justification. Treat Security Reader as a low-risk but not zero-risk role -- assign it through PIM with a standing eligible assignment rather than a permanent active role.

Which Entra ID roles are commonly overlooked as Tier 0 equivalents in PIM coverage and what privileges make them dangerous?

Roles typically omitted from Tier 0 PIM treatment that can reach Global Administrator or equivalent access: Privileged Role Administrator (can modify any role assignment including its own, can grant Global Administrator to any account -- direct Tier 0). Privileged Authentication Administrator (can reset authentication methods for any user including Global Admins -- can reset a Global Admin's MFA and password). Partner Tier2 Support (can reset any user's password including Global Admins -- equivalent to Privileged Authentication Administrator). Authentication Policy Administrator (can modify MFA registration policies, enabling registration bypass). Directory Synchronization Account (used by Entra Connect -- compromise allows LDAP writes to Entra ID objects at scale). Azure AD Joined Device Local Administrator (with AAD-joined devices, members can become local admin on all AAD-joined endpoints in the tenant). Security Administrator (can modify MCAS policies, endpoint security baselines, identity protection settings). Microsoft Entra Connect Health Administrator (can access hybrid identity health data and some sync configuration). All of these should be PIM-eligible with the same MFA, approval, and time-limit controls as Global Administrator.

Sources & references

  1. Microsoft: Entra ID built-in roles
  2. Microsoft: Securing privileged access for hybrid and cloud deployments

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.