Why we’re bringing Zero Standing Privileges to M365, and why it matters.
In the past decade, we collectively agreed that standing access to infrastructure is a security failure. No credible security team allows permanent root access on production servers or standing SSH keys for cloud instances. We built vaults, we implemented session recording, and we moved to Just-in-Time (JIT) access for infrastructure.
Yet, if you look at the average enterprise Microsoft 365 tenant, that discipline seems to have vanished.
We see organizations with robust Privileged Access Management (PAM) for their servers, yet they have dozens of permanent Intune Administrators, Exchange Administrators, and Global Admins in Entra ID.
This isn’t because security teams are negligent. It’s simply friction. Until now, applying Zero Standing Privileges (ZSP) to SaaS admin roles was operationally painful. Native tools create silos, manual processes slow down IT, and eventually, the “temporary” admin access granted to a helpdesk engineer becomes permanent, because nobody wants to be the one to break a workflow by revoking it.
That standing access may now be your most vulnerable perimeter. Here is why, and how we are fixing it with the CyberArk Identity Security Platform.
The threat reality: M365 is the new “root”
Attacker tradecraft has shifted. While attackers continue to hunt for server credentials, the target has transitioned to SaaS. Why? Because the blast radius is massive and often unmonitored.
Take the Midnight Blizzard (Nobelium) attack on Microsoft itself. Attackers didn’t smash through a firewall, they leveraged a legacy test tenant, elevated permissions, and pivoted into corporate Exchange Online accounts to read executive emails. The lesson? Unmonitored standing privileges are a ticking time bomb.
Consider what a compromised user with standing Intune Administrator rights can do:
- Mass ransomware deployment: Push malicious scripts to every managed endpoint in your fleet via Intune.
- Persistence: Modify Conditional Access policies to exclude rogue devices from MFA checks.
- Silent exfiltration: Grant themselves full access to executive mailboxes via Exchange Online without triggering standard DLP alarms.
If that admin right is standing (permanent), the attacker has an indefinite window to act. If that access is JIT (ephemeral), the window of opportunity is nearly non-existent.
The problem with “siloed” JIT
You might ask, “Doesn’t Microsoft offer JIT for these roles?” They do, via PIM. And for many, that is a good starting point.
But for the enterprise security architect, relying solely on a SaaS provider’s native tool can create a governance silo. You end up with one policy engine for your AWS cloud, a different vaulting strategy for on-prem servers, and a third, disconnected workflow for M365. This fragmentation leads to:
- Audit gaps: You cannot easily answer, “Who had privileged access across all our environments today?”
- Inconsistent policy: Your definition of “emergency access” differs between your data center and your SaaS.
- Operational friction: Your admins must learn three different tools, context-switch just to do their job.
The CyberArk approach: Unified ZSP orchestration
We built ZSP for Entra Groups to secure admin access to M365 applications, establishing a blueprint for the rest of your SaaS stack. M365 is the first use case, but the goal is broader: to treat all SaaS admin roles exactly like infrastructure privileges: identity-centric, policy-driven, and ephemeral.
We are not just acting as the front-end, we are acting as the orchestration layer. We use Entra ID groups as the top layer, but CyberArk acts as the policy engine, the approval logic, and the unified audit trail.
How it works
Instead of assigning a user permanently to the Intune Administrators role in Entra ID, you create a dedicated cloud-only security group (e.g., SG-Intune-Admins-ZSP) and assign the role to that group. By default, the group is empty.
When an admin needs to push a policy update:
- Request: They log into the CyberArk platform (the same place they access AWS console or server access) and select “Intune Admin Access.”
- Validation: CyberArk checks the ZSP policy: Is this user eligible? Is it within business hours? Is the requested duration (e.g., 2 hours) within limits?
- Orchestration: If approved, CyberArk triggers Entra ID to add the user to the SG-Intune-Admins-ZSP group.
- Activation: The user now holds the token for that group.
- Revocation: Once the time window expires, CyberArk automatically removes the user from the group.
- Audit: The entire lifecycle request, justification, grant, and revoke is logged in the CyberArk Identity Security Platform, right alongside your infrastructure and cloud access logs.
Why this matters
This architecture solves the “silo problem.” By extending the CyberArk Identity Security Platform to M365, you collapse your attack surface — applying the same ZSP principles to your SaaS estate.
- Zero Standing Privilege: No user holds admin rights 24/7. Even if their credential is phished at midnight, it will have no admin power (standard user account with no lateral movement capabilities).
- Audit-ready proof: When the auditor asks for evidence of access control, you show them one report that covers your servers, your cloud consoles, and your Intune environment.
- Operational velocity: We aren’t blocking admins. We are giving them a “break glass” mechanism that works every time, without the overhead of manual tickets.
Security that works with humans, not against them
The goal of Zero Standing Privilege isn’t to make life hard for the helpdesk or the cloud engineering team. It’s to acknowledge that access is a liability, not an asset.
By shifting M365 administration to a JIT model, we remove the burden of “protecting the keys” from your admins. They don’t have to worry about their account being the entry point for a breach, because their account is limited to standard user privileges 99% of the time.
This is the future of privilege: fluid, time-bound, and platform-agnostic. And with the release of ZSP for Entra Groups, we are applying that standard to the most critical business suite in the world.
