Ensure that administrative accounts are distinct and solely cloud-based - Microsoft 365

Explained: Ensure that administrative accounts are distinct and solely cloud-based - Microsoft 365

Administrative accounts are designated privileged accounts with differing levels of access to data, users, and configurations. Standard user accounts should never be used for administrative functions. In hybrid environments, it's crucial to segregate administrative accounts from on-premises accounts. These accounts should not be associated with applications to prevent access to potentially compromised services such as email, Teams, SharePoint, etc. They should only be granted access for necessary administrative tasks. It's imperative to license administrative accounts without attached applications and ensure they are solely cloud-based.

Why Ensure that administrative accounts are distinct and solely cloud-based - Microsoft 365?

By ensuring that administrative accounts are solely cloud-based and not associated with any applications, you effectively minimize the attack surface for highly privileged identities within your environment. However, to utilize Microsoft 365 security services like Identity Protection, PIM, and Conditional Access, an administrative account must be licensed. It's essential to select a license that excludes applications with potentially vulnerable services. Consider using either Microsoft Enterprise ID P1 or Microsoft Enterprise ID P2 for the cloud-only account with administrative roles. In a hybrid environment, maintaining separate accounts helps mitigate the risk of a breach affecting both the cloud and on-premises environments. This segregation ensures that if a breach occurs in one environment, it does not compromise the security of the other.

Which Microsoft License Is This Recommended For?

This security setting is recommended for atleast E3 Level 1 which aims to be practical and sensible, Offer a distinct security advantage, and does not inhibit the functionality of the technology beyond acceptable means.

How to Ensure that administrative accounts are distinct and solely cloud-based - Microsoft 365:

To create licensed, separate Administrative accounts for Administrative users, please follow these steps:

1. Go to the Microsoft 365 admin center at https://admin.microsoft.com.
2. Expand the Users section and select Active users.
3. Click on "Add a user."
4. Fill out the required fields for Name, username, etc.
5. When prompted to assign licenses, choose either Microsoft Enterprise ID P1 or Microsoft Enterprise ID P2 as needed, then click Next.
6. On the Option settings screen, select "Admin center access" and then choose the appropriate administrative role. Click Next.
7. Finally, select "Finish adding" to complete the process.

What business impact does the security best practice "Ensure that administrative accounts are distinct and solely cloud-based - Microsoft 365" have?

Administrative users will need to switch between accounts and utilize login/logout functionality when carrying out administrative duties. Additionally, they won't benefit from Single Sign-On (SSO) capabilities.

How to verify the security best practice "Ensure that administrative accounts are distinct and solely cloud-based - Microsoft 365" has been implemented:

To ensure that Administrative accounts are separate and solely cloud-based, follow these steps:

1. Go to the Microsoft 365 admin center at https://admin.microsoft.com.
2. Expand the Users section and select Active users.
3. Sort the users by the Licenses column.
4. For each user account in an administrative role, verify the following: Confirm that the account is Cloud-only (not synchronized from on-premises). Ensure that the account is assigned a license that does not include any associated applications, such as Microsoft Enterprise ID P1 or Microsoft Enterprise ID P2.