Let’s talk about a common mistake: permanent admin access. It’s a ticking time bomb. Every breach I’ve analyzed involved an attacker eventually getting their hands on a standing privileged credential. This is where you cut them off.
You don’t need your Azure admins to be “Owner” or “Contributor” 24/7. That’s just asking for trouble. When they need elevated access for a specific task, they should request it, use it, and then it should expire. Just-in-time, folks. It’s a fundamental principle of least privilege.
If you’re not using PIM, you’re leaving a massive door open. Go check your Azure subscriptions. See who has permanent “Owner” or “Contributor” assignments. It’s probably more people than you think.
Here’s how to check your exposure: az role assignment list –query “[?roleDefinitionName==’Owner’ || roleDefinitionName==’Contributor’].[principalName,roleDefinitionName]” –output table
The output from that command is your to-do list. Get those permanent assignments replaced with PIM. This is CIS Azure Foundations Benchmark 1.1.11 for a reason. Don’t skip it.
The fix
# Azure CLI — list privileged role assignments
az role assignment list --query "[?roleDefinitionName==''Owner'' || roleDefinitionName==''Contributor''].[principalName,roleDefinitionName]" --output table
# Configure PIM via Portal:
# Entra ID → PIM → Azure AD roles → Settings → Require justification + MFA
Reference: CIS Azure Foundations Benchmark 1.1.11