Least Privilege And Admin Accounts: Plain English

A property management company in Mobile had a breach. The attacker got in through their HVAC vendor's remote monitoring software — the vendor had admin access "for convenience."

Once inside, the attacker found the property management software, exported tenant records (names, addresses, payment info), and demanded ransom for the data.

The vendor's access was supposed to be temporary. It wasn't. Nobody had revoked it in two years.

This is a least-privilege failure.

What this solves (in real business terms)

Least privilege means giving people — employees, vendors, contractors — only the access they need to do their specific job. Nothing more.

Admin accounts are special accounts with elevated permissions: they can install software, change settings, access all files, modify other users' permissions. Regular accounts can't do these things.

The principle is simple: if someone doesn't need admin access to do their job, they shouldn't have it. If a vendor doesn't need permanent access, it should be temporary.

The reason is blast radius. If a regular employee's account gets compromised, the attacker can read their email, access their files. Bad, but contained. If an admin account gets compromised, the attacker can take over the entire organization.

What can go wrong

Phishing an admin account. The Pensacola manufacturer story — their IT person had admin access, got phished, attacker took over the entire Microsoft 365 tenant. If the IT person had used a regular account for email and only switched to admin for specific tasks, the damage would have been limited.

Compromised vendor access. The Mobile property management scenario. Vendor with admin access gets compromised, attacker walks into your network with full permissions.

Malware with admin rights. A user with admin access gets malware on their computer. The malware runs with admin rights — it can install other malware, capture all keystrokes, access any file. The same malware on a non-admin account is much more limited.

Accidental deletion. A tired employee with admin access accidentally deletes a shared folder. Same employee with regular access can't delete shared resources they don't own.

Former employee retained access. Someone quits. Their account stays active because "IT will get around to disabling it." They can still access everything until someone remembers.

What it costs (honest ranges)

• Implementation: $0 — this is a policy and configuration change, not a product purchase
• Managed security provider: Usually included in $10-$30/user/month. They audit permissions quarterly and flag over-provisioned accounts.
• Microsoft 365 Business Premium: $22/user/month — includes tools to manage user roles and permissions easily
• One-time consultant: $500-$1,500 to audit current permissions and set up proper role-based access

Vendor questions (copy/paste)

Ask your IT vendor or internal IT person:

1. "What admin accounts do we currently have? Who has access to them?"
2. "Do we have a regular process for reviewing who has admin access, or is it just set-and-forget?"
3. "Does our HVAC/camera/security vendor have admin access to our systems? How do we revoke it when work is done?"
4. "Do employees use admin accounts for daily work, or only when necessary?"
5. "Do we have a checklist for when employees leave? Does it include disabling all accounts, including vendor-managed ones?"

Minimum viable implementation

Step 1: Audit your admin accounts

In Microsoft 365 Admin Center:

1. Go to Users > Active users
2. Filter by "Admin roles"
3. Document every account with admin access: who owns it, what role it has, why it needs that access

In Google Workspace:

1. Go to Admin console > Users
2. Look for users with "Admin privileges"
3. Document the same details

Step 2: Create a regular account for everyone (including owners)

Everyone should have two accounts:

• Regular account: For daily work (email, documents, software)
• Admin account: Separate, used only for admin tasks

This means creating an admin account for yourself if you don't have one. Use a different password and ideally different authentication device.

Step 3: Remove admin rights from regular accounts

In Windows (if managed by policy):

• Remove users from the "Administrators" group
• Add them to "Users" group only

In Microsoft 365:

• Remove Global Admin from anyone who doesn't need it daily
• Assign the minimum necessary role: Help Desk Admin, User Admin, etc.

Step 4: Set up just-in-time admin access

For users who occasionally need admin access:

• Don't give them permanent admin rights
• Use Microsoft Privileged Identity Management (PIM) or a similar tool to grant time-limited admin access
• They request access, you approve, it expires automatically

Step 5: Review quarterly

Set a calendar reminder. Every quarter, ask:

• Does everyone with admin access still need it?
• Are there any vendor accounts that should be disabled?
• Did any employee leave without their accounts being disabled?

Step 6: Vendor access = temporary access

Every vendor account should have:

• An expiration date (even if far in the future)
• Minimum necessary permissions (read-only if that's all they need)
• A process for revoking access when work is complete

When to hire help

Do it yourself if:

• You have fewer than 15 users
• You're comfortable navigating Microsoft 365 or Google Admin consoles
• Your tech stack is simple (one Microsoft 365 or Google Workspace account, no complex integrations)

Get help if:

• You have 20+ employees with complex role structures
• Multiple vendors have access to your systems
• You're in a regulated industry with specific access control requirements
• You've had a breach or near-miss and need to audit and clean up existing permissions