How Granular Delegation Can Help Avoid Security Incidents in Microsoft Environments


With so many security threats to defend against today, it’s nearly impossible for IT teams to keep up.  And while each security event may be different, there are common threads that can be found across a majority of them. One of the most common is that users are simply granted too much access over time.

Admins get busy, people need access quickly, and without a strong delegation model in place, the result is users being granted more access than they need. In many organizations, delegated permissions, once granted, are rarely revoked.

Least-Privileged Delegation

In simplest terms, least-privileged delegation means to give users and administrators what access they need – and only the access they need – to manage user accounts and other sensitive information.  And do this only over the users and groups for which they are responsible.

Typically, privileges are granted to perform some administrative task.  Here, let’s consider administrative accounts in Active Directory.  For example, perhaps you have a helpdesk technician employee who needs permission to reset passwords.  How do you delegate control to do that, but not give more privilege than necessary, like the ability to create, delete and manage users?

Microsoft native tools, both for on-prem Active Directory and Azure Active Directory, have  limitations when it comes to granting permissions, and cannot be granted permission for simply one or two tasks, leaving senior admins to say “no” or to add those users – often help desk users or junior staff — to AD domain admins or global admins to perform their functions.

Admin roles, including Domain Admins, Global Admins and other highly privileged accounts are a favorite target of malicious actors, which can obviously lead to costly breaches.  Minimizing users in those groups/roles is a key security measure all organizations must take.

Granular Roles Secure Delegation And Help Avoid Insider Threats

Cayosoft Administrator has helped numerous organizations with automation combined with roles- and rules-based administration, purpose-built for hybrid Microsoft environments. Cayosoft empowers senior IT admins with granular, unified role-based delegation and rules that control, secure and simplify the execution of key tasks in the most efficient way possible.

Cayosoft customers have benefitted from the ability to granularly and securely delegate tasks.

“Before we had Cayosoft, it was me and my CIO creating Windows accounts because there were too many steps that required permissions that the help desk staff didn’t have. With delegation in Cayosoft Administrator, the help desk can now do this, as well as use Cayosoft for group management, password resets and managing mailbox permissions.”

– Abiezer Fraga, IT Director, Citrus Health (read full story)

“We also considered how we could empower other groups within Mednax, such as the security team and the help desk, and keep individuals from going directly into AD to make changes that cause security issues. Ultimately we did not want to have our techs logging into Active Directory to make changes. Having the tool to act as the go between helps with security and gives us an additional level of change control. After research, we found that Cayosoft was the best solution for us.”

-Donald Donais, Enterprise Collaboration Manager at Mednax (read full story)

For more on avoiding insider threats and securing your environment, check out our on-demand webinar, 3 Keys to Secure Hybrid Microsoft Management

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.