Skip to main content

How to Audit and Reduce Admin Accounts in Google Workspace and Microsoft Entra

One of the fastest ways to reduce risk in any K–12 environment is also one of the most overlooked:

Reviewing who has administrative access.

Too many admin accounts, especially highly privileged ones, dramatically increase the blast radius of a single compromised account.


The goal isn’t just to know who your admins are.


It’s to ensure only the right people have the right level of access, and nothing more.


Why This Matters

Admin accounts can:

  • reset passwords
  • access sensitive data
  • modify security settings
  • create or delete accounts
  • bypass protections


If one of these accounts is compromised, the attacker doesn’t need to break in; they’re already inside.


This is why frameworks like the CIS Critical Security Controls (v8) emphasize:

  • Control 5: Account Management
  • Control 6: Access Control Management


Both stress:

  • minimizing administrative privileges
  • using role-based access
  • regularly reviewing accounts
  • removing unnecessary access


Step 1: Audit Admin Roles in Google Workspace


Navigate to:

Admin Console → Directory → Admin Roles


What to Review:

Super Admins

  • Who has full control over the environment?
  • Do they actually need it?

Best practice:

  • Keep this group as small as possible
  • Ideally 2–4 trusted individuals

Custom Admin Roles

  • Review what permissions are assigned
  • Ensure roles are scoped appropriately

Assigned Admins

  • Look at who is assigned to each role
  • Verify:
    • Are they still in that role/job?
    • Do they still need this level of access?

What to Look For:

  • Users with Super Admin who don’t need it
  • Former staff or role changes not updated
  • Accounts that haven’t logged in recently
  • Shared or generic admin accounts

Quick Actions:

  • Remove unnecessary Super Admin roles
  • Reassign users to least-privileged roles
  • Disable or delete unused accounts


Step 2: Audit Admin Roles in Microsoft Entra


Navigate to:

Microsoft Entra Admin Center → Roles & Administrators


Focus on High-Risk Roles:

  • Global Administrator
  • Privileged Role Administrator
  • Security Administrator
  • Exchange Administrator


What to Review:

Role Assignments

  • Click each role and review assigned users

Sign-In Activity

  • Check last login (via Entra or audit logs)

Role Necessity

  • Does the user need full-time admin access?


What to Look For:

  • Too many Global Administrators
  • Users with overlapping high-privilege roles
  • Inactive accounts still holding admin rights
  • Accounts without MFA enabled


Quick Actions:

  • Reduce Global Admins to a minimal number
  • Move users to role-based access where possible
  • Remove stale or unused accounts


Step 3: Apply Least Privilege


The goal is simple:


Give users the minimum access required to do their job; nothing more.


Examples:

Instead of:

  • Global Admin

Use:

  • Help Desk Admin
  • User Admin
  • Groups Admin

This reduces risk significantly if an account is compromised.


Step 4: Use Privileged Identity Management (PIM) in Microsoft Entra


If your district is using Microsoft Entra, one of the most effective ways to reduce admin risk is by using Privileged Identity Management (PIM).


Instead of giving users permanent admin access, PIM allows you to grant temporary, just-in-time privileges only when needed.


Why PIM Matters

Traditional model:

  • Users have standing admin access 24/7


With PIM:

  • Users are eligible, not always active
  • Admin access must be activated when needed
  • Activation can require:
    • MFA
    • justification
    • approval
  • Access automatically expires


This significantly reduces exposure and limits how long an attacker could use elevated access.


How to Review or Enable PIM


Navigate to:

Microsoft Entra Admin Center → Identity Governance → Privileged Identity Management


Key Actions:

Review Role Assignments

  • Identify users with permanent admin roles
  • Convert them to eligible assignments where possible


Configure Activation Settings

Require:

  • MFA
  • Justification
  • Approval (recommended for high-risk roles)

Set Time Limits

  • Limit admin sessions (for example, 1–4 hours)


What to Prioritize

Start with:

  • Global Administrator
  • Privileged Role Administrator
  • Security Administrator


Practical Reality for K–12

Not every district is using PIM, and that’s okay.


If you’re not there yet:

  • Reduce permanent admins
  • Separate admin accounts
  • Enforce MFA


If you are able to use PIM:

  • This is one of the highest-value improvements you can make


Step 5: Separate Admin and User Accounts


Admins should not use their admin account for daily work.


Why:

  • Email and browsing are high-risk activities
  • A compromised daily-use account should not equal full system compromise


Best Practice:

  • Standard account → email, browsing, daily work
  • Admin account → administrative tasks only


Step 6: Require MFA for All Admin Accounts


This is essential.


Verify:

  • MFA is enforced (not just enabled)
  • Applies to all admin roles
  • No exclusions or bypasses


In Entra:

  • Use Conditional Access policies


In Google:

  • Enforce 2-Step Verification for admin roles


Step 7: Make This a Routine


Admin access is not static.


Recommended:

  • Quarterly review (ideal)
  • At minimum, twice per year


Roles change.

Staff change.

Risk changes.

Access should too.


Practical Takeaways

  • Fewer admin accounts = lower risk
  • Least privilege reduces the impact of compromise
  • Just-in-time access (PIM) reduces standing risk
  • MFA is critical for all admin access
  • Regular review prevents privilege creep


Closing Thoughts

Admin accounts are one of the most powerful and most dangerous elements in your environment.


The good news is that this is one of the simplest areas to improve quickly.


Take the time to review who has access.


Reduce what isn’t needed.


And where possible, move toward just-in-time access models like PIM.

Are you checklist type person? Here is a simple checklist to help you out: 

K–12 Admin Account Audit Checklist

Labels:

Comments

Post a Comment

Popular posts from this blog

Why Securing Things “Backwards” Is So Difficult in K–12 IT

Many K–12 districts are facing a difficult reality: after years of convenience-first technology use, the time has come to adopt a more secure, structured approach. Cyber insurance requirements are tightening. State and federal regulations are growing. Threats are increasing. And school systems are expected to modernize their security posture quickly and without disrupting learning. But strengthening security in a district that has operated with wide-open access for years isn’t just a technical challenge; it’s a cultural renovation. Transitioning from “anything goes” to “secured by design” is one of the hardest shifts for schools to make. Not because people don’t care about security, but because securing things backwards means undoing years of habits, expectations, and legacy decisions. Here’s why it’s so difficult , and how districts can make the transition without breaking what’s working. Why Securing Things Backwards Is Hard 1. You’re Taking Away What People Are Used To When classr...
Post a Comment
Read more

Incident Response for Schools: Why Playbooks Matter

When a cybersecurity incident occurs, such as a phishing email, ransomware outbreak, or accidental exposure of student data, the first few minutes are crucial. Yet, many school districts lack a clear, step-by-step plan for responding. The result? Confusion, delayed decisions, extended downtime, and even compliance failures. That’s why every school should have Incident Response (IR) playbooks : simple, one-page guides that outline who to call, what to do, and how to contain and recover from common incidents. Why Playbooks Are Critical in Schools Clarity Under Pressure: When panic sets in, playbooks provide structure. Staff know exactly what steps to take. Consistency: Every incident is handled the same way, reducing the risk of mistakes. Compliance: For Kansas schools, ITEC 7230a requires incident response planning and documentation. Playbooks help districts meet that standard. Framework Alignment: The NIST Cybersecurity Framework (CSF) 2.0 emphasizes Respond as o...
Post a Comment
Read more

Vendor and Third-Party Risk Management in K–12: Protecting Student Data Beyond Your Walls

Modern school districts rely on hundreds of third-party applications, ranging from learning management systems and browser extensions to assessment platforms and parent communication tools. Each of these vendors connects to your network, accesses your data, or processes sensitive student information. Every one of them represents potential risk. While internal defenses like patching, MFA, and backups are essential, vendor risk management ensures your district is protected from vulnerabilities that originate outside your network . Why Vendor Risk Management Matters for Schools School technology ecosystems have expanded rapidly over the last decade. What used to be a handful of software systems is now a web of cloud tools, integrations, and data sharing agreements. Without strong oversight, this complexity creates real-world risk: Data Breaches via EdTech Vendors: Many school breaches occur not from internal attacks, but through compromised third-party systems. Privacy Compliance Exp...
Post a Comment
Read more