{"id":9774,"date":"2025-02-25T09:00:00","date_gmt":"2025-02-25T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=9774"},"modified":"2025-10-17T11:10:49","modified_gmt":"2025-10-17T18:10:49","slug":"improving-security-by-protecting-elevated-privilege-accounts-at-microsoft","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/","title":{"rendered":"Improving security by protecting elevated-privilege accounts at Microsoft"},"content":{"rendered":"\n<figure class=\"wp-block-image alignright size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories.png\" alt=\"Microsoft Digital technical stories\" style=\"width:300px\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>This story was first published in 2019. We periodically update our stories, but we can&#8217;t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An ever-evolving digital landscape is forcing organizations to adapt and expand to stay ahead of innovative and complex security risks. Increasingly sophisticated and targeted threats, including phishing campaigns and malware attacks, attempt to harvest credentials or exploit hardware vulnerabilities that allow movement to other parts of the network, where they can do more damage or gain access to unprotected information.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Like many organizations, Microsoft Digital\u2014our company\u2019s IT organization\u2014used to employ a traditional IT approach to securing the enterprise. We now know that effective security calls for a defense-in-depth approach that requires us to look at the whole environment\u2014and everyone that accesses it\u2014to implement policies and standards that better address risks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To dramatically limit our attack surface and protect our assets, we developed and implemented our own defense-in-depth approach. This includes new company standards, telemetry, monitoring, tools, and processes to protect administrators and other elevated-privilege accounts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In an environment where there are too many administrators, or elevated-privilege accounts, there is an increased risk of compromise. When elevated access is persistent or elevated-privilege accounts use the same credentials to access multiple resources, a compromised account can become a major breach.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This story highlights the steps we are taking at Microsoft to protect our environment and administrators, including new programs, tools, and considerations, and the challenges we faced. We will provide some details about the new \u201cProtect the Administrators\u201d program that is positively impacting the Microsoft ecosystem. This program takes security to the next level across the entire enterprise, ultimately changing our digital-landscape security approach.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding defense-in-depth protection<\/h2>\n\n\n\n<figure class=\"wp-block-image alignleft size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147-img-001.png\" alt=\"Information protection depicted as a stool with three legs that represent device health, identity management, and data and telemetry.\" style=\"width:350px\"\/><figcaption class=\"wp-element-caption\"><em>The three-legged-stool approach to information protection.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Securing all environments within your organization is a great first step in protecting your company. But there\u2019s no silver-bullet solution that will magically counter all threats. At Microsoft, information protection rests on a defense-in-depth approach built on device health, identity management, and data and telemetry\u2014a concept illustrated by the three-legged security stool, in the graphic below. Getting security right is a balancing act. For a security solution to be effective, it must address all three aspects of risk mitigation on a base of risk management and assurance\u2014or the stool topples over and information protection is at risk.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Risk-based approach<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Though we would like to be able to fix everything at once, that simply isn\u2019t feasible. We created a risk-based approach to help us prioritize every major initiative. We used a holistic strategy that evaluated all environments, administrative roles, and access points to help us define our most critical roles and resources within the Microsoft ecosystem. Once defined, we could identify the key initiatives that would help protect the areas that represent the highest levels of risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As illustrated in the graphic below, the access-level roles that pose a higher risk should have fewer accounts\u2014helping reduce the impact to the organization and control entry.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The next sections focus primarily on protecting elevated user accounts and the \u201cProtect the Administrators\u201d program. We\u2019ll also discuss key security initiatives that are relevant to other engineering organizations across Microsoft.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Implementing the Protect the Administrators program<\/h2>\n\n\n\n<figure class=\"wp-block-image alignright size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147-img-002.png\" alt=\"Illustration of the risk-role pyramid we use to help prioritize security initiatives.\" style=\"width:297px\"\/><figcaption class=\"wp-element-caption\"><em>The risk-role pyramid.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">After doing a deeper analysis of our environments, roles, and access points, we developed a multifaceted approach to protecting our administrators and other elevated-privilege accounts. Key solutions include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Working to ensure that our standards and processes are current, and that the enterprise is compliant with them.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Creating a targeted reduction campaign to scale down the number of individuals with elevated-privilege accounts.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Auditing elevated-privilege accounts and role management to help ensure that only employees who need elevated access retain elevated-access privileges.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Creating a <a href=\"https:\/\/www.microsoft.com\/en-us\/insidetrack\/using-shielded-virtual-machines-to-help-protect-high-value-assets\">High Value Asset (HVA)<\/a>\u2014an isolated, high-risk environment\u2014to host a secure infrastructure and help reduce the attack surface.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Providing secure devices to administrators. Secure admin workstations (SAWs) provide a \u201csecure keyboard\u201d in a locked-down environment that helps curb credential-theft and credential-reuse scenarios.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Reporting metrics and data that help us share our story with corporate leadership as well as getting buy-in from administrators and other users who have elevated-privilege accounts across the company.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Defining your corporate landscape<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In the past, equipment was primarily on-premises, and it was assumed to be easier to keep development, test, and production environments separate, secure, and well-isolated without a lot of crossover. Users often had access to more than one of these environments but used a <em>persistent<\/em> <em>identity<\/em>\u2014a unique combination of username and password\u2014to log into all three. After all, it\u2019s easier to remember login information for a persistent identity than it is to create separate identities for each environment. But because we had strict network boundaries, this persistent identity wasn\u2019t a source of concern.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Today, that\u2019s not the case. The advent of the cloud has dissolved the classic network edge. The use of on-premises datacenters, cloud datacenters, and hybrid solutions are common in nearly every company. Using one persistent identity across all environments can increase the attack surface exposed to adversaries. If compromised, it can yield access to all company environments. That\u2019s what makes identity today\u2019s true new perimeter.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft, we reviewed our ecosystem to analyze whether we could keep production and non-production environments separate. We used our Red Team\/penetration (PEN) testers to help us validate our holistic approach to security, and they provided great guidance on how to further establish a secure ecosystem.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The graphic below illustrates the Microsoft ecosystem, past and present. We have three major types of environments in our ecosystem today: our Microsoft and Microsoft 365 tenants, Microsoft Azure subscriptions, and on-premises datacenters. We now treat them all like a production environment with no division between production and non-production (development and test) environments.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147-img-003.png\" alt=\"Microsoft ecosystem then and now. Three environment types now: Microsoft and Microsoft 365 tenants, Azure subscriptions, and on-premises datacenters.\" style=\"width:600px\"\/><figcaption class=\"wp-element-caption\"><em>Now, everything is considered a \u201cproduction\u201d environment. We treat our three major environments in the Microsoft ecosystem like production.<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Refining roles to reduce attack surfaces<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Prior to embarking on the \u201cProtect the Administrators\u201d program, we felt it was necessary to evaluate every role with elevated privileges to determine their level of access and capability within our landscape. Part of the process was to identify tooling that would also protect company security (identity, security, device, and non-persistent access).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our goal was to provide administrators the means to perform their necessary duties in support of the technical operations of Microsoft with the necessary security tooling, processes, and access capabilities\u2014but with the lowest level of access possible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The top security threats that every organization faces stem from too many employees having too much persistent access. Every organization\u2019s goal should be to dramatically limit their attack surface and reduce the amount of \u201ctraversing\u201d (lateral movement across resources) a breach will allow, should a credential be compromised. This is done by limiting elevated-privilege accounts to employees whose roles require access and by ensuring that the access granted is commensurate with each role. This is known as \u201cleast-privileged access.\u201d The first step in reaching this goal is understanding and redefining the roles in your company that require elevated privileges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Defining roles<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We started with basic definitions. An information-worker account does not allow elevated privileges, is connected to the corporate network, and has access to productivity tools that let the user do things like log into SharePoint, use applications like Microsoft Excel and Word, read and send email, and browse the web.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We defined an administrator as a person who is responsible for the development, build, configuration, maintenance, support, and reliable operations of applications, networks, systems, and\/or environments (cloud or on-premises datacenters). In general terms, an administrator account is one of the elevated-privilege accounts that has more access than an information worker\u2019s account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Using role-based controls to establish elevated-privilege roles<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We used a role-based access control (RBAC) model to establish which specific elevated-privilege roles were needed to perform the duties required within each line-of-business application in support of Microsoft operations. From there, we deduced a minimum number of accounts needed for each RBAC role and started the process of eliminating the excess accounts. Using the RBAC model, we went back and identified a variety of roles requiring elevated privileges in each environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For the Microsoft Azure environments, we used RBAC, built on Microsoft Azure Resource Manager, to manage who has access to Azure resources and to define what they can do with those resources and what areas they have access to. Using RBAC, you can segregate duties within your team and grant to users only the amount of access that they need to perform their jobs. Instead of giving everybody unrestricted permissions in our Azure subscription or resources, we allow only certain actions at a particular scope.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Performing role attestation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We explored role attestation for administrators who moved laterally within the company to make sure their elevated privileges didn\u2019t move with them into the new roles. Limited checks and balances were in place to ensure that the right privileges were applied or removed when someone\u2019s role changed. We fixed this immediately through a quarterly attestation process that required the individual, the manager, and the role owner to approve continued access to the role.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Implementing least-privileged access<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We identified those roles that absolutely required elevated access, but not all elevated-privilege accounts are created equal. Limiting the attack surface visible to potential aggressors depends not only on reducing the number of elevated-privilege accounts. It also relies on only providing elevated-privilege accounts with the least-privileged access needed to get their respective jobs done.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For example, consider the idea of crown jewels kept in the royal family\u2019s castle. There are many roles within the operations of the castle, such as the king, the queen, the cook, the cleaning staff, and the royal guard. Not everyone can or should have access everywhere. The king and queen hold the only keys to the crown jewels. The cook needs access only to the kitchen, the larder, and the dining room. The cleaning staff needs limited access everywhere, but only to clean, and the royal guard needs access to areas where the king and queen are. No one other than the king and queen, however, needs access to the crown jewels. This system of restricted access provides two benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Only those who absolutely require access to a castle area have keys, and only to perform their assigned jobs, nothing more. If the cook tries to access the crown jewels, security alarms notify the royal guard, along with the king and queen.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Only two people, the king and queen, have access to the crown jewels. Should anything happen to the crown jewels, a targeted evaluation of those two people takes place and doesn\u2019t require involvement of the cook, the cleaning staff, or the royal guard because they don\u2019t have access.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This is the concept of least-privileged access: We only allow you access to a specific role to perform a specific activity within a specific amount of time from a secure device while logged in from a secure identity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Creating a secure high-risk environment<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We can\u2019t truly secure our devices without having a highly secure datacenter to build and house our infrastructure. We used HVA to implement a multitiered and highly secure high-risk environment (HRE) for isolated hosting. We treated our HRE as a private cloud that lives inside a secure datacenter and is isolated from dependencies on external systems, teams, and services. Our secure tools and services are built within the HRE.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional corporate networks were typically walled only at the external perimeters. Once an attacker gained access, it was easier for a breach to move across systems and environments. Production servers often reside on the same segments or on the same levels of access as clients, so you inherently gain access to servers and systems. If you start building some of your systems but you\u2019re still dependent on older tools and services that run in your production environment, it\u2019s hard to break those dependencies. Each one increases your risk of compromise.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s important to remember that security awareness requires ongoing hygiene. New tools, resources, portals, and functionality are constantly coming online or being updated. For example, certain web browsers sometimes release updates weekly. We must continually review and approve the new releases, and then repackage and deploy the replacement to approved locations. Many companies don\u2019t have a thorough application-review process, which increases their attack surface due to poor hygiene (for example, multiple versions, third-party and malware-infested application challenges, unrestricted URL access, and lack of awareness).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The initial challenge we faced was discovering all the applications and tools that administrators were using so we could review, certify, package, and sign them as approved applications for use in the HRE and on SAWs. We also needed to implement a thorough application-review process, specific to the applications in the HRE.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our HRE was built as a trust-nothing environment. It\u2019s isolated from other less-secure systems within the company and can only be accessed from a SAW\u2014making it harder for adversaries to move laterally through the network looking for the weakest link. We use a combination of automation, identity isolation, and traditional firewall isolation techniques to maintain boundaries between servers, services, and the customers who use them. Admin identities are distinct from standard corporate identities and subject to more restrictive credential- and lifecycle-management practices. Admin access is scoped according to the principle of least privilege, with separate admin identities for each service. This isolation limits the scope that any one account could compromise. Additionally, every setting and configuration in the HRE must be explicitly reviewed and defined. The HRE provides a highly secure foundation that allows us to build protected solutions, services, and systems for our administrators.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Secure devices<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Secure admin workstations (SAWs) are limited-use client machines that substantially reduce the risk of compromise. They are an important part of our layered, defense-in-depth approach to security. A SAW doesn\u2019t grant rights to any actual resources\u2014it provides a \u201csecure keyboard\u201d in which an administrator can connect to a secure server, which itself connects to the HRE.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A SAW is an administrative-and-productivity-device-in-one, designed and built by Microsoft for one of our most critical resources\u2014our administrators. Each administrator has a single device, a SAW, where they have a hosted virtual machine (VM) to perform their administrative duties and a corporate VM for productivity work like email, Microsoft 365 products, and web browsing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When working, administrators must keep secure devices with them, but they are responsible for them at all times. This requirement mandated that the secure device be portable. As a result, we developed a laptop that\u2019s a securely controlled and provisioned workstation. It\u2019s designed for managing valuable production systems and performing daily activities like email, document editing, and development work. The administrative partition in the SAW curbs credential-theft and credential-reuse scenarios by locking down the environment. The productivity partition is a VM with access like any other corporate device.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The SAW host is a restricted environment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">It allows only signed or approved applications to run.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">The user doesn\u2019t have local administrative privileges on the device.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">By design, the user can browse only a restricted set of web destinations.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">All automatic updates from external parties and third-party add-ons or plug-ins are disabled.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Again, the SAW controls are only as good as the environment that holds them, which means that the SAW isn\u2019t possible without the HRE. Maintaining adherence to SAW and HRE controls requires an ongoing operational investment, similar to any Infrastructure as a Service (IaaS). Our engineers code-review and code-sign all applications, scripts, tools, and any other software that operates or runs on top of the SAW. The administrator user has no ability to download new scripts, coding modules, or software outside of a formal software distribution system. Anything added to the SAW gets reviewed before it\u2019s allowed on the device.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As we onboard an internal team onto SAW, we work with them to ensure that their services and endpoints are accessible using a SAW device. We also help them integrate their processes with SAW services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Provisioning the administrator<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Once a team has adopted the new company standard of requiring administrators to use a SAW, we deploy the Microsoft Azure-based Conditional Access (CA) policy. As part of CA policy enforcement, administrators can\u2019t use their elevated privileges without a SAW. Between the time that an administrator places an order and receives the new SAW, we provide temporary access to a SAW device so they can still get their work done.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We ensure security at every step within our supply chain. That includes using a dedicated manufacturing line exclusive to SAWs, ensuring chain of custody from manufacturing to end-user validation. Since SAWs are built and configured for the specific user rather than pulling from existing inventory, the process is much different from how we provision standard corporate devices. The additional security controls in the SAW supply chain add complexity and can make scaling a challenge from the global-procurement perspective.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Supporting the administrator<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">SAWs come with dedicated, security-aware support services from our Secure Admin Services (SAS) team. The SAS team is responsible for the HRE and the critical SAW devices\u2014providing around-the-clock role-service support to administrators.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The SAS team owns and supports a service portal that facilitates SAW ordering and fulfillment, role management for approved users, application and URL hosting, SAW assignment, and SAW reassignment. They\u2019re also available in a development operations (DevOps) model to assist the teams that are adopting SAWs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As different organizations within Microsoft choose to adopt SAWs, the SAS team works to ensure they understand what they are signing up for. The team provides an overview of their support and service structure and the HRE\/SAW solution architecture, as illustrated in the graphic below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147-img-004.png\" alt=\"A high-level overview of the HRE\/SAW solution architecture, including SAS team and DevOps support services. \" style=\"width:650px\"\/><figcaption class=\"wp-element-caption\"><em>An overview of an isolated HRE, a SAW, and the services that help support administrators.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Today, the SAS team provides support service to more than 40,000 administrators across the company. We have more work to do as we enforce SAW usage across all teams in the company and stretch into different roles and responsibilities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Password vaulting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The password-vaulting service allows passwords to be securely encrypted and stored for future retrieval. This eliminates the need for administrators to remember passwords, which has often resulted in passwords being written down, shared, and compromised.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SAS Password Vaulting is composed of two internal, custom services currently offered through our SAS team:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">A custom solution to manage domain-based service accounts and shared password lists.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">A local administrator password solution (<a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\" target=\"_blank\" rel=\"noreferrer noopener\">LAPS<\/a>) to manage server-local administrator and integrated Lights-Out (iLO) device accounts.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Password management is further enhanced by the service\u2019s capability to automatically generate and roll complex random passwords. This ensures that privileged accounts have high-strength passwords that are changed regularly and reduces the risk of credential theft.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Administrative policies<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve put administrative policies in place for privileged-account management. They\u2019re designed to protect the enterprise from risks associated with elevated administrative rights. Microsoft Digital reduces attack vectors with an assortment of security services, including SAS and Identity and Access Management, that enhance the security posture of the business. Especially important is the implementation of usage metrics for threat and vulnerability management. When a threat or vulnerability is detected, we work with our Cyber Defense Operations Center (<a href=\"https:\/\/www.microsoft.com\/en-us\/msrc\/cdoc\" target=\"_blank\" rel=\"noreferrer noopener\">CDOC<\/a>) team. Using a variety of monitoring systems through data and telemetry measures, we ensure that compliance and enforcement teams are notified immediately. Their engagement is key to keeping the ecosystem secure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Just-in-time entitlement system<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Least-privileged access paired with a just-in-time (JIT) entitlement system provides the least amount of access to administrators for the shortest period of time. A JIT entitlement system allows users to elevate their entitlements for limited periods of time to complete elevated-privilege and administrative duties. The elevated privileges normally last between four and eight hours.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">JIT allows removal of users\u2019 persistent administrative access (via Active Directory Security Groups) and replaces those entitlements with the ability to elevate into roles on-demand and just-in-time. We used proper RBAC approaches with an emphasis on providing access only to what is absolutely required. We also implemented access controls to remove excess access (for example, Global Administrator or Domain Administrator privileges). An example of how JIT is part of our overarching defense-in-depth strategy is a scenario in which an administrator\u2019s smartcard and PIN are stolen. Even with the physical card and the PIN, an attacker would have to successfully navigate a JIT workflow process before the account would have any access rights.<\/p>\n\n\n\n<div data-bi-aN=\"Key Takeaways\" class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-fd44144e wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"124\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways.png\" alt=\"Key Takeaways\" class=\"wp-image-7448\" style=\"width:300px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the three years this project has been going on, we have learned that an ongoing commitment and investment are critical to providing defense-in-depth protection in an ever-evolving work environment. We have learned a few things that could help other companies as they decide to better protect their administrators and, thus, their company assets:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Securing all environments. <\/strong>We needed to evolve the way we looked at our environments. Through evolving company strategy and our Red Team\/PEN testing, it has been proven numerous times that successful system attacks take advantage of weak controls or bad hygiene in a development environment to access and cause havoc in production.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Influencing, rather than forcing, cultural change.<\/strong> Microsoft employees have historically had the flexibility and freedom to do amazing things with the products and technology they had on hand. Efforts to impose any structure, rigor, or limitation on that freedom can be challenging. Taking people\u2019s flexibility away from them, even in the name of security, can generate friction. Inherently, employees want to do the right thing when it comes to security and will adopt new and better processes and tools as long as they understand the need for them. Full support of the leadership team is critical in persuading users to change how they think about security. It was important that we developed compelling narratives for areas of change, and had the data and metrics to reinforce our messaging.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Scaling SAW procurement. <\/strong>We secure every aspect of the end-to-end supply chain for SAWs. This level of diligence does result in more oversight and overhead. While there might be some traction around the concept of providing SAWs to all employees who have elevated-access roles, it would still be very challenging for us to scale to that level of demand. From a global perspective, it is also challenging to ensure the required chain of custody to get SAWs into the hands of administrators in more remote countries and regions. To help us overcome the challenges of scale, we used a phased approach to roll out the Admin SAW policy and provision SAWs.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Providing a performant SAW experience for the global workforce.<\/strong> We aim to provide a performant experience for all users, regardless of their location. We have users around the world, in most major countries and regions. Supporting our global workforce has required us to think through and deal with some interesting issues regarding the geo-distribution of services and resources. For instance, locations like China and some places in Europe are challenging because of connectivity requirements and performance limitations. Enforcing SAW in a global company has meant dealing with these issues so that an administrator, no matter where they are located, can effectively complete necessary work.<\/li>\n<\/ul>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s next<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As we stated before, there are no silver-bullet solutions when it comes to security. As part of our defense-in-depth approach to an ever-evolving threat landscape, there will always be new initiatives to drive.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Recently, we started exploring how to separate our administrators from our developers and using a different security approach for the developer roles. In general, developers require more flexibility than administrators.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There also continue to be many other security initiatives around device health, identity and access management, data loss protection, and corporate networking. We\u2019re also working on the continued maturity of our compliance and governance policies and procedures.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Getting started<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While it has taken us years to develop, implement, and refine our multitiered, defense-in-depth approach to security, there are some solutions that you can adopt now as you begin your journey toward improving the state of your organization\u2019s security:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Design and enforce hygiene. <\/strong>Ensure that you have the governance in place to drive compliance. This includes controls, standards, and policies for the environment, applications, identity and access management, and elevated access. It\u2019s also critical that standards and policies are continually refined to reflect changes in environments and security threats. Implement governance and compliance to enforce least-privileged access. Monitor resources and applications for ongoing compliance and ensure that your standards remain current as roles evolve.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Implement least-privileged access.<\/strong> Using proper RBAC approaches with an emphasis on providing access only to what is absolutely required is the concept of least-privileged access. Add the necessary access controls to remove the need for Global Administrator or Domain Administrator access. Just provide everyone with the access that they truly need. Build your applications, environments, and tools to use RBAC roles, and clearly define what each role can and can\u2019t do.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Remove all persistent access. <\/strong>All elevated access should require JIT elevation. It requires an extra step to get temporary secure access before performing elevated-privilege work. Setting persistent access to expire when it\u2019s no longer necessary narrows your exposed attack surface.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Provide isolated elevated-privilege credentials.<\/strong> Using an isolated identity substantially reduces the possibility of compromise after a successful phishing attack. Admin accounts without an inbox have no email to phish. Keeping the information-worker credential separate from the elevated-privilege credential reduces the attack surface.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Microsoft Services can help<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Customers interested in adopting a defense-in-depth approach to increase their security posture might want to consider implementing <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/securing-privileged-access\/privileged-access-workstations\" target=\"_blank\" rel=\"noreferrer noopener\">Privileged Access Workstations<\/a> <a href=\"https:\/\/blogs.technet.microsoft.com\/datacentersecurity\/2018\/04\/30\/paw-deployment-guide\/\">(PAW)<\/a>. PAWs are a key element of the <a href=\"https:\/\/download.microsoft.com\/download\/A\/C\/5\/AC5D21A6-E04B-4DC4-B1F2-AE060319A4D7\/Premier_Support_for_Security\/Popis\/Enhanced-Security-Admin-Environment-Solution-Datasheet-[EN].pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Enhanced Security Administrative Environment (ESAE)<\/a> reference architecture deployed by the cybersecurity professional services teams at Microsoft to protect customers against cybersecurity attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For more information about engaging Microsoft Services to deploy PAWs or ESAE for your environment, contact your Microsoft representative or visit the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security<\/a> page.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Reaping the rewards<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Over the last two years we\u2019ve had an outside security audit expert perform a cyber-essentials-plus certification process. In 2017, the security audit engineers couldn\u2019t run most of their baseline tests because the SAW was so locked down. They said it was the \u201cmost secure administrative-client audit we\u2019ve ever completed.\u201d They couldn\u2019t even conduct most of their tests with the SAW\u2019s baseline, locked configuration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In 2018, the security audit engineer said, \u201cI had no chance; you have done everything right,\u201d and added, \u201cYou are so far beyond what any other company in the industry is doing.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Also, in 2018, our SAW project won a CSO50 Award, which recognizes security projects and initiatives that demonstrate outstanding business value and thought leadership. SAW was commended as an innovative practice and a core element of the network security strategy at Microsoft.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, the certifications and awards help validate our defense-in-depth approach. We are building and deploying the correct solutions to support our ongoing commitment to securing Microsoft and our customers\u2019 and partners\u2019 information. It\u2019s a pleasure to see that solution recognized as a leader in the industry.<\/p>\n\n\n\n<div data-bi-aN=\"Key Takeaways\" class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-fe9cc265 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-medium is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"68\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/07\/OKR_Try_it_out-300x68.png\" alt=\"Try it out\" class=\"wp-image-11919\" style=\"width:360px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/07\/OKR_Try_it_out-300x68.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/07\/OKR_Try_it_out-1024x234.png 1024w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/07\/OKR_Try_it_out-768x175.png 768w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/07\/OKR_Try_it_out.png 1319w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security?OCID=InsideTrack_Product_6147\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about Cloud Security Services.<\/a> <\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\/identity-access?OCID=InsideTrack_Product_6147\" target=\"_blank\" rel=\"noreferrer noopener\">Go deeper on our Identity and Access Management System.<\/a><\/li>\n<\/ul>\n<\/div>\n\n\n\n<div data-bi-aN=\"Key Takeaways\" class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-fe9cc265 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"135\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links.png\" alt=\"Related links\" class=\"wp-image-7482\" style=\"width:300px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/transitioning-to-modern-access-architecture-with-zero-trust\/\">Explore how to transition to modern access architecture with Zero Trust.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/boosting-our-security-first-initiative-at-microsoft-with-a-transformed-approach-to-wired-network-security\/\">Check out how we\u2019re rethinking wired network security at Microsoft.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/securing-privileged-access\/privileged-access-workstations\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about how we manage Privileged Access Workstations.<\/a><\/li>\n<\/ul>\n<\/div>\n\n\n\n<div data-bi-aN=\"Key Takeaways\" class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-fe9cc265 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/Customer-Survey-580x85-1.png\" alt=\"We'd like to hear from you!\" style=\"width:580px\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"mailto:msitstaff@microsoft.com\">Want more information? Email us and include a link to this story and we\u2019ll get back to you.<\/a><\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This story was first published in 2019. We periodically update our stories, but we can&#8217;t verify that they represent the full picture of our current situation at Microsoft. We leave them on the site so you can see what our thinking and experience was at the time. An ever-evolving digital landscape is forcing organizations to [&hellip;]<\/p>\n","protected":false},"author":133,"featured_media":9833,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[852,115,849,848,419],"coauthors":[646],"class_list":["post-9774","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-it-and-business-operations","tag-microsoft-azure","tag-network-and-infrastructure","tag-security-and-risk-management","tag-zero-trust","program-microsoft-digital-technical-stories","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Improving security by protecting elevated-privilege accounts at Microsoft - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"Learn how we\u2019re using a defense-in-depth approach to ensure a secure digital environment and protect elevated-privilege accounts.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Improving security by protecting elevated-privilege accounts at Microsoft - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"Learn how we\u2019re using a defense-in-depth approach to ensure a secure digital environment and protect elevated-privilege accounts.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-25T17:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-17T18:10:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147_hero-alt.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"22 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/\"},\"author\":{\"name\":\"Inside Track staff\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\"},\"headline\":\"Improving security by protecting elevated-privilege accounts at Microsoft\",\"datePublished\":\"2025-02-25T17:00:00+00:00\",\"dateModified\":\"2025-10-17T18:10:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/\"},\"wordCount\":4605,\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2023\\\/02\\\/6147_hero-alt.jpg\",\"keywords\":[\"IT and business operations\",\"Microsoft Azure\",\"Network and infrastructure\",\"Security and risk management\",\"Zero Trust\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/\",\"name\":\"Improving security by protecting elevated-privilege accounts at Microsoft - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2023\\\/02\\\/6147_hero-alt.jpg\",\"datePublished\":\"2025-02-25T17:00:00+00:00\",\"dateModified\":\"2025-10-17T18:10:49+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\"},\"description\":\"Learn how we\u2019re using a defense-in-depth approach to ensure a secure digital environment and protect elevated-privilege accounts.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2023\\\/02\\\/6147_hero-alt.jpg\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2023\\\/02\\\/6147_hero-alt.jpg\",\"width\":1040,\"height\":585,\"caption\":\"At Microsoft, we\u2019re rethinking the way we protect our environment and our system administrators.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Improving security by protecting elevated-privilege accounts at Microsoft\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/d87d5d73eed76dd055086299c842c17e\",\"name\":\"Inside Track staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g5b36aff6a325749e67e5cb253696fa6b\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g\",\"caption\":\"Inside Track staff\"},\"description\":\"Questions? Send us a note: msitstaff@microsoft.com\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/author\\\/insidetrack\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Improving security by protecting elevated-privilege accounts at Microsoft - Inside Track Blog","description":"Learn how we\u2019re using a defense-in-depth approach to ensure a secure digital environment and protect elevated-privilege accounts.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/","og_locale":"en_US","og_type":"article","og_title":"Improving security by protecting elevated-privilege accounts at Microsoft - Inside Track Blog","og_description":"Learn how we\u2019re using a defense-in-depth approach to ensure a secure digital environment and protect elevated-privilege accounts.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/","og_site_name":"Inside Track Blog","article_published_time":"2025-02-25T17:00:00+00:00","article_modified_time":"2025-10-17T18:10:49+00:00","og_image":[{"width":1040,"height":585,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147_hero-alt.jpg","type":"image\/jpeg"}],"author":"Inside Track staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track staff","Est. reading time":"22 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/"},"author":{"name":"Inside Track staff","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"headline":"Improving security by protecting elevated-privilege accounts at Microsoft","datePublished":"2025-02-25T17:00:00+00:00","dateModified":"2025-10-17T18:10:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/"},"wordCount":4605,"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147_hero-alt.jpg","keywords":["IT and business operations","Microsoft Azure","Network and infrastructure","Security and risk management","Zero Trust"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/","name":"Improving security by protecting elevated-privilege accounts at Microsoft - Inside Track Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147_hero-alt.jpg","datePublished":"2025-02-25T17:00:00+00:00","dateModified":"2025-10-17T18:10:49+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"description":"Learn how we\u2019re using a defense-in-depth approach to ensure a secure digital environment and protect elevated-privilege accounts.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147_hero-alt.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147_hero-alt.jpg","width":1040,"height":585,"caption":"At Microsoft, we\u2019re rethinking the way we protect our environment and our system administrators."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Improving security by protecting elevated-privilege accounts at Microsoft"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e","name":"Inside Track staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g5b36aff6a325749e67e5cb253696fa6b","url":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cd7f2a0db74c09eb5a4b1d8812baa96be830da787002d0c498742b974e5d36d2?s=96&d=mm&r=g","caption":"Inside Track staff"},"description":"Questions? Send us a note: msitstaff@microsoft.com","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrack\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/02\/6147_hero-alt.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2xE","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=9774"}],"version-history":[{"count":11,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9774\/revisions"}],"predecessor-version":[{"id":18794,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9774\/revisions\/18794"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/9833"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=9774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=9774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=9774"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=9774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}