Highly privileged accounts shall be cloud-only

Description

Assign users that need to perform highly privileged tasks to cloud-only Azure AD accounts to minimize the collateral damage of an on-premises identity compromise.

Policy

Users that need to be assigned to highly privileged Azure AD roles SHALL be provisioned cloud-only accounts that are separate from the on-premises directory or other federated identity providers.

Licensing Considerations

• All Microsoft Licensing Models support this configuration.

Set Up Instructions

Follow these steps to review the administrative roles like Global Administrator
Ensure that these accounts are cloud only

End-User Impact

Level: None

There is no real end user impact here as you are establishing cloud only administrative accounts.

Tips

Periodically review the privileged roles within the organization to ensure compliance with this policy.

PowerShell Scripts

Getting Sync Status: Listing Azure AD/Office 365 User Accounts with Directory Sync Status (practical365.com)

View Microsoft 365 user accounts with PowerShell - Microsoft 365 Enterprise | Microsoft Learn

Videos

• None Currently

PreviousActivation of privileged roles should be monitored and require approval NextHighly privileged role assignments shall be periodically reviewed

Last updated 1 year ago