Identity Basics: Admin Roles and Least Privilege

Every week, we see the same pattern: a small business gets compromised. The attacker didn't use sophisticated malware or a zero-day exploit. They used a regular employee's credentials—credentials that had far more access than they should have had.

The bookkeeper could delete users. The marketing coordinator could change billing. The office manager had Global Admin rights "just in case."

This is a permissions problem. It's common, it's dangerous, and it's fixable.

What Is Least Privilege

Least privilege means giving users the minimum access they need to do their job. Nothing more.

If someone needs to send email, they get an email account. Not domain admin. If someone needs to enter invoices, they get access to the invoicing software. Not the accounting software's admin panel. If someone needs to reset their own password, they get self-service password reset. Not write access to Active Directory.

The idea is simple: if someone's credentials get compromised, the damage is contained.

Why This Matters for Gulf Coast SMBs

You can't afford a big breach A major breach for a large company is a PR problem. For a Gulf Coast contractor, seafood processor, or marine services firm, it's existential. You're working on thin margins. A $50,000 incident might not be recoverable.

Your team is small In a 10-person company, everyone does multiple things. The temptation is to give everyone broad access "because we're small." This creates the same risk as a large company with none of the controls.

Vendors and partners trust you Construction companies, oilfield services, seafood distributors—they share sensitive data with you. If your systems are breached, that data leaks. Your reputation is done with that partner.

How Permissions Work in Microsoft 365

Microsoft 365 has several permission levels:

Global Administrator Can do everything. Add users, delete tenants, change billing, access all data. Should be held by 1-2 people maximum. Should require MFA and never be used for daily tasks.

Exchange Administrator Manages email flow, mailbox permissions, sharing policies. Important but not all-powerful.

SharePoint Administrator Manages document storage and permissions. Sensitive.

User Administrator Can add, remove, and manage users. Critical for offboarding.

Help Desk Administrator Can reset passwords, manage basic user issues. Lower risk.

Billing Administrator Manages subscriptions and invoices. Should be separate from IT admin.

Security Administrator Manages security policies, views audit logs. Important for monitoring.

How Permissions Work in Google Workspace

Google Workspace roles:

Super Admin Full access to everything. 1-2 people maximum.

Admin Granular roles for specific services. Don't give full Super Admin to people who only need email admin.

User Standard access to email, drive, docs. Everyone else.

What Can Go Wrong

"The bookkeeper could delete everyone" Your bookkeeper's account gets compromised. The attacker uses their access to delete all user accounts, lock you out of your own systems, and demand ransom. The bookkeeper never needed that access.

"The vendor had too much access" Your IT vendor set up your systems. They asked for admin access "temporarily." Six months later, they still have it. A disgruntled employee at the vendor company—or a breach at the vendor—gives attackers access to your systems.

"The former employee still has access" You terminated someone. Did you remove their access? If not, they (or anyone who compromises their personal accounts) still has access to your email, your files, your data.

"Everyone uses the same admin account" You created one admin account and everyone uses it for admin tasks. Now there's no accountability—who did what? If one person's password is compromised, the admin account is compromised.

"The intern had full access" Summer intern needed to send email from a shared inbox. IT gave them full mailbox access "to make it easier." The intern's personal laptop was compromised at a coffee shop. Your entire email history is now on a threat actor's server.

What It Costs

Role audit: $0 (time spent)

• 1-2 hours to document current permissions
• Ongoing: 15 minutes monthly to review changes

Access management tools:

• Microsoft 365 built-in: Free with subscription
• Google Workspace built-in: Free with subscription
• Third-party CASB: $5-$15/user/month for advanced monitoring

Consulting for initial cleanup: $1,000-$5,000

• One-time role cleanup
• Policy documentation
• Admin training

Cost of a breach (if permissions were too broad):

• Forensic investigation: $10,000-$50,000
• Data recovery: $5,000-$25,000
• Regulatory notification: $1,000-$10,000
• Lost business: Incalculable

Minimum Viable Implementation

Today

1. List your admin accounts. In Microsoft 365: Admin Centers > Exchange Admin Center > Permissions > Admin roles. In Google Workspace: Admin Console > Admin roles. Find everyone with elevated access.

2. Ask why. For each admin, ask: "Does this person need this level of access to do their job?" If the answer is no, downgrade or remove.

3. Check for shared admin accounts. Find any account with admin access being shared. Document who has credentials.

This Week

4. Create a break-glass account. A emergency admin account with Global Admin access that only you know. Store credentials offline (not in a password manager that could be compromised). Use it only in emergencies.

5. Separate admin from daily use. Admins should have a regular account for email, browsing, etc., and a separate admin account for admin tasks. Never use admin accounts for daily work.

6. Enable PIM (Privileged Identity Management). In Microsoft 365 E3/E5, you can require admin approval for privileged role activation. Users request access, you approve for a limited time.

This Month

7. Document your role assignments. Write down who has what access and why. This becomes your baseline.

8. Set up access reviews. Schedule quarterly reviews: "Does [Person] still need [Access]?"

9. Offboard properly. When someone leaves, remove their access immediately. Check: email, shared drives, admin roles, third-party apps, mobile devices.

Vendor Questions (Copy/Paste)

1. "Can we require approval for admin role assignments—meaning someone requests access and another person approves it?"

2. "Do you log when admin roles are used? Can we export those logs?"

3. "What's your process for revoking access when an employee is terminated?"

4. "Can we see a report of all users with Global Admin access?"

5. "Do you support just-in-time admin access—where admin rights expire after a set time?"

When to Hire Help

DIY-friendly if:

• Under 25 users
• Simple role structure
• Basic understanding of Microsoft 365 or Google Workspace admin consoles
• No previous security incidents

Get professional help if:

• Over 50 users
• Multiple admin accounts you can't explain
• Previous security incident
• No documentation of who has what access
• Need to comply with regulations (HIPAA, PCI DSS, etc.)

Warning signs you need help now:

• You don't know who has admin access to your email
• A former employee might still have access
• You've had a phishing incident in the last 6 months
• Someone has admin access they don't need for their job
• You share admin credentials among multiple people