	Steve Lieberman: Now that you have learned 
	about what Privileged Identity Management is 
	and how to deploy it in your organization, we’re 
	going to use this time to discuss some of the most 
	commonly asked questions when it comes to 
	operationalizing PIM. 
	Shaun, what is the point of PIM if you don’t have 
	approval set up? 
	Shaun Liu: Yes. This actually a very common 
	question that people ask because without approval 
	set up, one thinks that an admin can actually 
	activate them self anytime they want. But 
	technically, with the PIM configuration set up as 
	you have seen in the past two videos, there are 
	many settings which can actually secure your 
	Privileged Access in your organization without 
	approval set up. First of all, there is the Notification. 
	So, if you turn on Notification for your organization 
	and for that particular role, if someone goes and 
	activates the role, we will send out an email to all 
	the IT admins in your organization telling them that 
	the person has actually activated that role. Now 
	if one of your admins is awake at night at someone 
	activated their role, this would be insecure, and you 
	would go in there and, just as what Steve did, 
	deactivate that person from that role and 
	investigate immediately. 
	Secondly, PIM also has the Multi-Factor 
	Authentication. As in the video before, we were 
	also performing an MFA before we actually go 
	and activate that role. So, that adds additional 
	security for role activation. And then finally, the 
	concept of eligibility itself is a great way to limit 
	access in your organization. By making someone 
	eligible it is almost like a pre-approval before 
	the user can actually go and activate that role. 
	So, assigning people as eligible is a great way to 
	safeguard Privileged Access for roles and 
	administrators in your organization. 
	Now another commonly asked question, Steve, 
	is what are the best practices when it comes to 
	securing global administrators? 
	Steve: Some of the best practices for securing 
	global administrators, we enforce Multi-Factor 
	Authentication, but you want to make sure that you 
	have at least Break Glass accounts in your directory 
	at all times. These Break Glass accounts are useful 
	in the event that a system is no longer available, 
	or the administrators can’t access their accounts, 
	they can’t succeed Multi-Factor Authentication. 
	Additionally, you want to make sure that all the 
	rest of the global administrators are eligible. 
	We also encourage customers to try and have as few 
	global administrators as possible. What his means is 
	ideally under five global administrators. Also, we 
	encourage you to use the other administrative 
	roles such as Exchange Administrator, SharePoint 
	Administrator, CRM Administrator, etcetera, as we 
	talked about earlier. 
	Once you’ve employed these best practices for making 
	global administrators eligible, Shaun, who should be 
	made eligible beyond those global administrators? 
	Shaun: Right. So, kind of like what you were getting 
	at just now, is that beyond the global administrator, 
	we also have some highly privileged roles inside the 
	organization. So, first of all, we have the Exchange 
	Administrator, the Security Administrator, as well as 
	the Privilege Role Administrator. All of these roles are 
	highly privileged and can do many harms in the 
	organization. Now beyond these roles, you should 
	look at the roles in your organization on a case by 
	case scenario based on how actively the roles are 
	used and what roles are actually used. You should 
	look to limit standing admin across all of your 
	Office 365 administrator roles. Maybe in the case 
	of a reader role, you are not too concerned because 
	they can’t make changes, but you should also consider 
	that a reader can read some secure information 
	that you might not be distributed to anyone 
	outside of your organization. So, basically, any 
	of the roles are games for being protected by 
	Privileged Identity Management and it is up to you 
	to look at what is more important. Now in terms of the 
	Azure Resource side, the roles that we recommend 
	for making eligible include the Owner role, the 
	Contributor role, and beyond these roles there are 
	also custom roles which you should look at, So, things 
	like a VM Contributor can actually come in and 
	make updates to your virtual machine and you should 
	look at making these roles eligible as well, especially 
	for the resources that are highly privileged and can 
	do a lot of harm if someone makes changes to them. 
	And so, as a final question, Steve, what are some of the 
	best practices when it comes to doing an Access 
	Review? 
	Steve: Sure, Shaun. Doing an Access Review is 
	extremely important. We encourage you to do 
	Access Reviews on a quarterly basis for your global 
	administrator role, as well as the owner and user 
	access administrator roles for Azure Resources. 
	These are critical because all of those individuals 
	that are assigned these roles may change over time. 
	It’s absolutely imperative that you make sure that you know 
	who has global administrator in your organization. They 
	do have access to all the resources. 
	Shaun: Thank you for watching and good luck 
	with your Privileged Identity Management deployment.
