maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

MT.1024 Designate more than one global admin + Least Priv Admin & PIM

Open michelderooij opened this issue 1 year ago • 5 comments

MT.1024 Designate more than one global admin and MT.1024 Use least privileged administrative roles Both tests fail when PIM is utilized for assigning GA roles. Check current GA roles and privileged roles; might want to take into account the eligible assignments as well.

michelderooij avatar Apr 25 '24 10:04 michelderooij

Let me tag @f-bader to review this.

merill avatar Apr 25 '24 13:04 merill

I use PIM as well and it did not fail. The GA accounts are all eligible. The reasons for the failure is not that it's in PIM it is due to the thresholds you have defined in PIM. So if. you have more GAs than the defined thresholds, then the test reports as failed. I don't think it's a bug.

Azdamus avatar Apr 26 '24 07:04 Azdamus

Perhaps it's a textual thing.

MT.1024 has one test "designate more than one global admin":

  • Failed because: "You currently have 1 global admin"

I have, one permanent (break-glass), one PIM. The PIM one is used to run Maester so at run-time it's a GA.

Another test, "use least privileged admin roles":

  • Failed, because: You currently have 0 users with privileged admin roles

False: There are 2

  1. break-glass, but there is already a comment on that in the recommendations
  2. My elevated PIM'ed account

michelderooij avatar Apr 26 '24 09:04 michelderooij

@michelderooij I was away for a few weeks and had only limited access and time to a computer, you will see a more activity in the next two weeks on this issue

f-bader avatar May 13 '24 11:05 f-bader

@michelderooij I double checked the results in my dev tenant and can confirm that, when only one Global Admin is assigned at all the recommendation from Microsoft will trigger.

I now added a second one as eligible to see if this changes the recommendation.

Since this test is only reading the results of Microsofts own recommendations there is not much I can do to fix this, as I don't want to built custom workarounds. If this issue holds true I would ask you to open a ticket with Microsoft support to fix the internal logic of the recommendation. I keep you posted.

f-bader avatar May 18 '24 20:05 f-bader

It took much longer to update the recommendation as I would have expected but the result is If you only have one permanent global admin but a second one using PIM this recommendation is triggered.

In my opinion this is also wrong, but as I wrote something that Microsoft has to fix. Please report this as feedback to Microsoft

image

f-bader avatar Jun 05 '24 20:06 f-bader