Highly privileged accounts shall be cloud-only
Description
Assign users that need to perform highly privileged tasks to cloud-only Azure AD accounts to minimize the collateral damage of an on-premises identity compromise.
Policy
Users that need to be assigned to highly privileged Azure AD roles SHALL be provisioned cloud-only accounts that are separate from the on-premises directory or other federated identity providers.
Licensing Considerations
β’ All Microsoft Licensing Models support this configuration.
Set Up Instructions
Follow these steps to review the administrative roles like Global Administrator
Ensure that these accounts are cloud only
End-User Impact
Level: None
There is no real end user impact here as you are establishing cloud only administrative accounts.
Tips
Periodically review the privileged roles within the organization to ensure compliance with this policy.
PowerShell Scripts
Getting Sync Status: Listing Azure AD/Office 365 User Accounts with Directory Sync Status (practical365.com)
View Microsoft 365 user accounts with PowerShell - Microsoft 365 Enterprise | Microsoft Learn
Videos
β’ None Currently
Last updated