1.1.1 Ensure Administrative accounts are separate and cloud-only


Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes.

Ensure administrative accounts are licensed without attached applications and cloud-only.


Ensuring administrative accounts are cloud-only, without applications assigned to them will reduce the attack surface of high privileged identities in your environment. In order to participate in Microsoft 365 security services such as Identity Protection, PIM and Conditional Access an administrative account will need a license attached to it. Ensure that the license used does not include any applications with potentially vulnerable services by using either Microsoft Entra ID P1 or Microsoft Entra ID P2 for the cloud-only account with administrator roles.

In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice versa.


Administrative users will have to switch accounts and utilizing login/logout functionality when performing administrative tasks, as well as not benefiting from SSO.

NOTE: Alerts will be sent to the TenantAdmins, including Global Administrators, by default. To ensure proper receipt, configure alerts to be sent to security or operations staff with valid email addresses or a security operations center. Otherwise, after adoption of this recommendation, alerts sent to TenantAdmins may go unreceived due to the lack of a application-based license assigned to the Global Administrator accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To created licensed, separate Administrative accounts for Administrative users:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.

Click to expand Users select Active users

Click Add a user.

Fill out the appropriate fields for Name, user, etc.

When prompted to assign licenses select as needed Microsoft Entra ID P1 or Microsoft Entra ID P2, then click Next.

Under the Option settings screen you may choose from several types of Administrative access roles. Choose Admin center access followed by the appropriate role then click Next.

Select Finish adding.

Default Value:


See Also


Item Details


References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.1

Plugin: microsoft_azure

Control ID: 3ef98bf7e235110f371c5fd612266c88af1cb20ae28ca622b206828698e4108f