Free tool · 5 minutes · Microsoft Entra ID
Score your Microsoft Entra ID privileged access posture across admin count, Privileged Identity Management coverage, session controls and audit governance. Aligned to Microsoft, ASD ISM, and the CIS M365 Benchmark.
10 questions · 4 domains
Score your Microsoft Entra ID privileged access posture across admin count, PIM coverage, session controls and audit governance. Pick the option closest to your tenant today.
Domain 1
How many Global Administrators exist, whether they are separated from day-to-day user accounts, and whether least-privilege roles are used.
How many Global Administrators does your tenant have?
Source: Microsoft Learn: Best practices for Entra ID roles; CIS Microsoft 365 Foundations Benchmark.
Are admin accounts separated from the same individuals' day-to-day user accounts?
Source: Microsoft Learn: Securing privileged access; ASD ISM (privileged user activities).
Are least-privilege Entra ID roles used in place of Global Administrator where possible?
Source: Microsoft Learn: Least privileged roles by task.
Domain 2
Whether privileged role assignments are eligible (activated just-in-time) rather than standing, and whether activation requires MFA and approval.
Are privileged role assignments managed via Privileged Identity Management (PIM)?
Source: Microsoft Learn: Privileged Identity Management deployment.
What controls are required to activate a privileged role via PIM?
Source: Microsoft Learn: PIM activation settings.
Domain 3
Privileged Access Workstations (PAW) for admin work, sign-in risk policies on admin accounts, and isolation of admin browsing from day-to-day work.
Where do admin tasks happen?
Source: Microsoft Learn: Privileged Access Workstations; ASD ISM.
Are sign-in risk and user risk policies enforced on admin accounts?
Source: Microsoft Learn: Identity Protection; Sign-in and user risk policies.
Domain 4
Break-glass account discipline, privileged role access reviews, audit logging of privileged activity, and separation of duties.
Are break-glass (emergency-access) admin accounts configured?
Source: Microsoft Learn: Manage emergency access accounts in Entra ID.
Are privileged role access reviews configured?
Source: Microsoft Learn: Entra ID access reviews for privileged roles.
Is privileged activity monitored?
Source: Microsoft Learn: Microsoft Sentinel; Entra ID audit logs.
Indicative self-assessment only. For verified results Frontrow Technology runs an in-tenant privileged access audit against the customer's Entra ID configuration.
What the audit covers
Domain 1
Microsoft recommends 2 to 5 Global Administrators per tenant — a small number of named privileged accounts, separated from the same individuals' day-to-day user accounts. Most Australian mid-market tenants Frontrow audits run between 8 and 30 Global Admins, often with the same accounts used for both admin and standard work.
Domain 2
Privileged Identity Management (PIM, included with Entra ID P2) lets the organisation make privileged role assignments eligible rather than active. Users activate the role only when they need it, with an approval workflow and audit trail. ASD ISM and Microsoft both recommend PIM as the baseline control for Global Administrator and other high-impact roles.
Domain 3
Microsoft's Privileged Access Workstation (PAW) guidance and ASD ISM both recommend that admin work happens on a separate hardened device. The PAW prevents a compromised general-use device from giving an attacker privileged access. Sign-in risk policies on admin accounts add a second layer of detection.
Domain 4
Microsoft recommends two break-glass accounts excluded from Conditional Access and MFA enforcement, monitored aggressively. Access reviews on privileged roles ensure standing assignments don't accumulate. Privileged activity should flow to Microsoft Sentinel or Defender XDR for monitoring and alerting.
Frequently asked questions
Microsoft recommends between 2 and 5 named Global Administrators, plus 2 break-glass (emergency-access) accounts that are monitored but excluded from MFA and Conditional Access. Most Australian mid-market tenants Frontrow audits run between 8 and 30 Global Administrators, often inherited from years of role assignments without review.
PIM is a Microsoft Entra ID P2 feature that turns privileged role assignments from active to eligible. Instead of holding the role permanently, the user activates it just-in-time when they need it, with an approval workflow, MFA challenge, justification, and audit trail. ASD's Information Security Manual and Microsoft's privileged-access deployment guidance both recommend PIM as the baseline.
A PAW is a separate, hardened device used only for privileged administrative tasks. The PAW is locked down, has restricted browsing and email (or none at all), is fully managed via Microsoft Intune, and admin sign-ins are gated to require it. The PAW prevents a compromised general-use device from giving an attacker privileged access. Microsoft's PAW deployment guidance and ASD ISM both reference this control.
Break-glass accounts are emergency-access admin accounts that exist outside the normal authentication and Conditional Access policies. The purpose is to allow recovery if the tenant's MFA, Conditional Access, or PIM stack fails. Microsoft recommends two break-glass accounts in the .onmicrosoft.com domain, with credentials stored in a physical safe, excluded from CA enforcement, and aggressively monitored for any sign-in activity.
Admin accounts and user accounts have different threat profiles. A user account is exposed to phishing, malicious email attachments, web-based attacks, and password reuse. An admin account should be isolated from those exposures: blocked from web browsing and email, signed in from a managed device only. The classic guidance is one identity per privilege boundary.
The break-glass discipline and 2-to-5 Global Administrator count apply at any size. PAW deployment is more substantial work and is typically scoped to organisations with regulated data, government adjacency, or critical infrastructure. PIM works at any tenant size and is included in any P2 licence. Frontrow scopes the recommendations to match the organisation's risk profile.
Every scoring threshold cites a primary source: Microsoft Learn for PIM, PAW and Entra ID role best practices; ASD Information Security Manual for the Australian baseline; CIS Microsoft 365 Foundations Benchmark. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
A direct review of Entra ID role assignments, PIM configuration, Conditional Access scoped to admin roles, audit logging configuration and break-glass discipline via Microsoft Graph (rather than self-reported answers), inventory of high-risk standing assignments, and a remediation plan with PIM rollout, scoped role migration, and PAW pattern. Indicative pricing on request.
