60 Zero-standing-access delivery pattern
The engagement model behind the rest of this catalog: the consultancy holds no standing admin or data access to a client tenant. Access is granted per task, time-boxed, logged and revoked automatically, so a compromise of the consultancy is not a compromise of the client. It has no Admin Console screen of its own — it is enforced by JIT elevation (40 Scripted JIT admin elevation) and access recertification (41 Periodic access recertification).
Documentation: Security best practices for administrator accounts ↗
Caveats
This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.
Ongoing maintenance
- automatable: AI agent Weekly: review the grants log — every temporary grant must map to a request and an expiry.
How to verify
Enumerate standing privileged grants — the result should be the documented floor (break-glass plus nothing).
gam print admins
v0.0.2Meta policy #19 · #29, #32 ↗