Following on from the introductory blog around using Microsoft Entra to secure Microsoft Copilot for Microsoft 365, this next blog is going to be looking at how we protect the gatekeepers of our cloud environment.

Protecting the Privilege

Privileged users have the biggest target on their backs within an organisation due to the fact that if an attacker were able to compromise this account, they would have potential access to an organisation’s network and data. The principle of Least Privileged Access from the Zero Trust approach recommends that organisations scope roles to ensure that privileged users have just what they need to be able to perform their job role. In addition to just scoping roles to just what they need, it recommends that users have access only when it’s needed and then only for a limited period.

Entra helps organisations achieve this with Privileged Identity Management (PIM), which allows organisations to implement just-in-time role activation. This means that privileged roles are not permanently assigned to users but rather require the user to activate their role. This can be done via additional Multifactor Authentication requirements or for the user to require approval from a designated reviewer. Allowing the reviewer to verify the user’s identity and the reason for the request, and grant or deny access accordingly. Once this happens, the role activation is also time-bound and expires automatically after a specified period. By using this feature, you can reduce the risk of excessive access permissions and unauthorised access.

Within traditional IT teams, these privileged roles would have only been held by the IT team, but we now see a wider spread of users having access to these privileged roles to enable them to do elements of their jobs.

Continuing with Copilot for Microsoft 365, the SharePoint Administrator role as an example grants access to SharePoint Online, OneDrive, and also Microsoft Teams files. This means that these services and locations will be used in Microsoft 365 to provide information that Copilot retrieves based on the access privileges of the user to augment the prompts used to generate an informed response. Therefore, from a protection perspective, it is critical that accounts with more granular and role-based privileges are protected.

What this means for organisations is that for a long time, MSPs and service providers have talked and suggested the journey approach to protecting privileged, knowing that it can potentially take time for an organisation to adopt this way of working. Therefore, organisations often protected only the highest privileged accounts such as Global Administrator and left users permanently assigned to other role-based accounts rather than fully adopting a least privileged approach. As such, it is important now for organisations to start evaluating and continuing the journey towards the principle of least privileged access.

The next part of the series is around protecting the data and ensuring that a Just enough access approach is taken with an organisation’s data and applications.

To read the previous blog, click here.

Feature Image AI generated with Microsoft Designer