Skip to content
BlueStone Tech
Project 06 · Identity & Productivity

Privileged Access Cleanup

Most Melbourne SMBs have 4–8 Global Admin accounts. They should have one or two.

Email us about this project See all 7 projects

What's included

Fixed scope. Written deliverables.

Every line below is in the Statement of Work. We don't expand scope mid-project; we don't shrink it. If something needs to change, we agree it in writing.

  • Audit of all Global Admin / Privileged Role accounts in your Microsoft 365 tenant
  • MFA enforcement on every privileged account
  • Break-glass emergency account configured (with secure procedure for use)
  • Conditional Access policy stack just for admins (no admin signs in from a non-managed device)
  • Aligned to Essential 8 ML2 "Restrict Administrative Privileges" control

Frequently asked

About this project specifically.

Why do most SMBs end up with 4-8 Global Admin accounts?
Three reasons: (1) the original IT consultant made themselves Global Admin and never removed access; (2) Microsoft 365 onboarding tutorials say 'use a Global Admin account' for the first setup, and that account never gets demoted; (3) every 'just for this one task' admin grant becomes permanent. The audit catches all three.
What's a 'break-glass' account and why do I need one?
A break-glass account is a single, highly-secured admin account stored in a sealed envelope (literally) that can rescue you if all your other admin accounts get locked out — e.g., your main admin loses their phone and MFA at the same time. It's used maybe once every 3 years, but when you need it, you really need it. Microsoft recommends one per tenant; we configure it as part of this project.
Does this satisfy the Essential 8 "Restrict Admin Privileges" control?
ML2-compliant for that control, yes. We follow the ACSC Essential 8 implementation guide. If you're working towards full Essential 8 ML2 across all 8 controls, this is one of the eight projects in scope — see /cyber/essential-8-melbourne for the broader uplift offering.

Other identity projects

Often paired with this one.

SaaS SSO via Entra ID

$1,800

Stop your team from juggling passwords. Single sign-on for the SaaS apps you actually use.

See project

Conditional Access Baseline

$2,400

Eight policies that block 90% of credential attacks. Designed and deployed in three weeks.

See project

Joiner-Mover-Leaver Automation Pack

$1,200

New hire on Monday, your IT does the rest. Same when someone leaves.

See project
Same-business-day email reply · no sales calls

Want a quote for Privileged Access Cleanup? It takes 2 minutes.

We'll email back with a tailored proposal — no calls, no follow-ups you didn't ask for.

Get a free quote Book a call