Permanent active role assignments SHALL NOT be allowed for highly privileged roles.

Why This Matters

Assigning permanent active roles to highly privileged accounts introduces unnecessary security risk. Attackers who compromise a permanently active privileged account maintain persistent access without needing to escalate privileges. By requiring just-in-time activation for high-value roles, you reduce the attack surface and limit the blast radius of a credential compromise.

What Aether365 Checks

This check verifies that no user or group has a permanent active assignment to highly privileged roles such as Global Administrator, Privileged Role Administrator, or Exchange Administrator. It appears in the Aether365 dashboard under the entra-id security checks category.