1.5 Ensure Administrative accounts are separate and cloud-only


Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for Administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for Administrative purposes.


Ensuring administrative accounts are cloud-only, without applications assigned to them will reduce the attack surface of high privileged identities in your environment. In order to participate in Microsoft 365 security services such as Identity Protection, PIM and Conditional Access an administrative account will need a license attached to it. Ensure that the license used does not include any applications with potentially vulnerable services by using either Azure Premium P1 or Azure Premium P2 for the cloud-only account with administrator roles.

In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice-versa.


Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks, as well as not benefiting from SSO.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To created licensed, separate Administrative accounts for Administrative users, using the Microsoft 365 Admin Center:

Log in to https://admin.microsoft.com as a Global Administrator.

Go to Admin centers and click on Azure Active Directory.

Select Users > Active users then click Add a user.

Fill out the appropriate fields for Name, user, etc.

When prompted to assign licenses select as needed Azure Premium P1 or Azure Premium P2, then click Next.

Under the Option settings screen you may choose from several types of Administrative access roles. Choose Admin center access followed by the appropriate role then click Next.

Select Finish adding.

Default Value:


See Also


Item Details


References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.1

Plugin: microsoft_azure

Control ID: 831a27959c4af6bf3c7bb4acad18f5cb5fd60dcf389313ed2a924c717658b25d