Turn on Azure AD Privileged Identity Management (PIM). After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory.

Role-based Access Control (RBAC) is probably the most ignored security option in Office365. Of the hundreds of clients that I have worked with, there have been only a handful of them that have explored the option of enabling RBAC. Access management for cloud resources is critical for any organization that uses the cloud. RBAC helps IT admin manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

This feature is designed to allow specific groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

You can use RBAC to assign permissions to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource.

Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. Use built-in RBAC roles in Azure to assign privileges to users.