Privileged Access Foundations
Before deploying PAWs or PIM, get the foundations right. This guide covers the baseline hygiene that underpins any privileged access strategy.
Start with the basics
Every privileged access programme should start with foundations — not tooling. Organisations frequently jump to deploying PIM or Conditional Access without addressing the structural issues that make those controls less effective.
What foundations means
Foundations covers the baseline hygiene and governance that everything else depends on:
- Account separation — dedicated admin accounts, separate from daily-use identities
- Naming conventions — consistent, identifiable admin account naming
- Role definitions — clear mapping of administrative responsibilities to Entra ID roles or custom RBAC
- Lifecycle management — joiner, mover, leaver processes that include privileged accounts
- Governance — documented policies, ownership, and accountability for privileged access
Why this matters
Without clean foundations, higher-level controls produce false confidence. PIM might be deployed, but if admin accounts are poorly governed, the attack surface remains wide.
Common problems at this level:
- Admin accounts with no clear owner
- Shared admin credentials across teams
- No process for removing admin access when roles change
- Inconsistent or missing naming conventions
- Privileged accounts excluded from Conditional Access by accident
Where to start
- Audit all accounts with standing privileged access
- Establish a naming convention for admin accounts
- Separate admin accounts from daily-use identities
- Document role definitions and map them to Entra ID roles
- Implement a review cycle for privileged account ownership
This is the least exciting part of a privileged access programme. It is also the most important.
Foundations are not optional. They are the base layer of the Privileged Path Framework and directly affect the effectiveness of Control, Isolation, Operations, and Validation.