SoftSol

Microsoft 365 Administration

Secure Administration via Granular & Just-In-Time (JIT) Access

Zero-standing administrative privileges for maximum data isolation.

This document describes SoftSol’s administrative access model for your Microsoft 365 environment. Our approach is engineered to give us everything we need to manage your platform effectively, while giving your organisation complete assurance that we cannot access your proprietary data or confidential communications without an auditable, time-limited authorisation event.

1

The Principle of Least Privilege

We do not request or hold a blanket Global Administrator role in your Microsoft 365 tenant. Global Admin is the broadest possible permission — it grants unrestricted access to every mailbox, every file in OneDrive, every Teams message, and every configuration setting. Holding it permanently is a significant and unnecessary security risk for your organisation, and we do not operate that way.

Instead, we use Microsoft’s Granular Delegated Admin Privileges (GDAP) framework to request only the specific administrative roles required to perform infrastructure management tasks. Typical roles we operate under include:

Exchange Administrator

Manages mail flow, connectors, and transport rules. Does not grant default access to read mailbox content.

Teams Administrator

Manages Teams policies and configurations. Does not grant access to private chat history or channel messages.

User Administrator

Creates and manages user accounts and group memberships. Does not grant access to mailbox content or files.

GDAP roles are defined in a formal relationship request that your Microsoft 365 global administrator reviews and approves. The scope is transparent and documented from day one.

2

Just-In-Time (JIT) Activation

Even within the GDAP-granted roles, our technicians have zero active privileges by default. The roles exist in an assigned but inactive state — they cannot be exercised until a technician explicitly requests elevation for a specific task.

Elevation is managed through Microsoft Privileged Identity Management (PIM). When a technician needs to perform an administrative task in your tenant, they must:

  1. i.Open a PIM elevation request, specifying the role required and a written justification for the task.
  2. ii.Pass multi-factor authentication to confirm their identity at the moment of the request.
  3. iii.Receive approval (either automated or via client sign-off — see step 3).
  4. iv.Perform the task within the activation window, after which the role automatically de-activates.

Every step of this process is logged in Microsoft Entra ID’s audit log — the technician’s identity, the role requested, the justification provided, and the exact time of activation and expiry. This creates a complete, unalterable record of every access event.

3

Client-Controlled Approval

PIM can be configured so that your organisation retains direct approval authority over every role elevation request. When this is enabled, no SoftSol technician can activate any administrative role in your tenant until an authorised individual on your side — typically your internal IT lead or operations manager — receives a notification and digitally approves the request.

Key properties of the approval workflow:

  • Approval requests are delivered via email and optionally the Microsoft Authenticator app, ensuring your approver can respond from anywhere.
  • The approver sees the technician’s stated justification before accepting or denying.
  • Access windows are time-limited and configurable — typically 1 to 4 hours — and expire automatically regardless of whether the task is finished.
  • Approval and denial decisions are permanently logged in the Microsoft Entra audit trail.

For organisations where operational tempo makes real-time client approval impractical, the approval workflow can be replaced with automated approval for pre-approved role types, combined with immediate post-activation notification to your management team. In all cases, the full audit record is preserved.

What this means for your organisation

  • No permanent access to your data. Our technicians have zero active privileges when not performing a specific, approved task.
  • No access to mailbox content by default. The roles we operate under do not grant read access to email, OneDrive files, or Teams messages unless a separate, explicit content-access action is taken — which would itself require elevation and approval.
  • Your approval, your control. With client-controlled approval enabled, nothing happens in your tenant without a named person on your team saying yes.
  • Every access event is permanently recorded. Microsoft’s Entra audit log is immutable. Even SoftSol cannot alter the record of what was requested, approved, and performed.

Formal Documentation

Administrative Access Rights Statement

A formal document listing every GDAP role SoftSol holds, precisely what each role permits, and what it explicitly cannot access — suitable for your compliance records, governance team, or insurer.

View Document Open & Save as PDF

Opens in a new tab with a print/save button — choose Save as PDF in the print dialog.

Questions about this access model?

Contact SoftSol to discuss how this framework is implemented for your specific tenancy, or to request a formal written description for your compliance records.

Contact SoftSol