Is granular delegated admin privileges (GDAP) implemented across your Microsoft Azure tenant(s)?
If you have a CSP, MSSP, reseller or any other 3rd party that has access to your environment(s) and GDAP isn’t implemented, it’s likely they have the Global Administrator role by default.
If your provider hasn’t contacted you about GDAP and/or implemented it already, you’d be right to question what else they haven’t done for you!? All partners should have the necessary privilege to perform the duties they’ve been contracted to do, working on the basis of least privilege, alongside other controls that adhere to your policies.
Do you log and alert when partner(s) access your environment(s) and confirm their action(s)? Do you require a review of your current provider?
GDAP guidance is located here; https://learn.microsoft.com/en-us/partner-center/gdap-introduction
Speak to one of our consultants if you’d like further guidance.
Please get in touch using the form below.