1.6 Ensure Administrative accounts are separate, unassigned, and cloud-only

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for Administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, Sharepoint, etc.) and only access to perform tasks as needed for Administrative purposes.


Creating separate, unassigned (not have applications assigned), cloud-only Administrative accounts will help ensure that accounts are less susceptible to attacks than a lesser privileged account. In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice-versa.


Since there are no license assignments required for Administrative accounts performing admin-level duties there is no financial impact. Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To created non-licensed Administrative accounts for Administrative users, use the Microsoft 365 Admin Center:

Log in to https://admin.microsoft.com as a Global Administrator.

Go to Admin centers and click on Azure Active Directory.

Select Users > Active users then click Add a user.

Fill out the appropriate fields for Name, user, etc.

When prompted to assign licenses select Create user without product license (not recommended), then click Next.

Under the Option settings screen you may choose from several types of Administrative access roles. Choose Admin center access followed by the appropriate role then click Next.

Select Finish adding.

Default Value:


See Also