062: Use cloud-only privileged accounts

Overview

Use cloud-only accounts for privileged roles in the cloud. Identify all accounts with privilege role memberships and audit which accounts are synced from on-premises AD. Create a plan to create a new cloud-only account for each synced admin account. Give the cloud-only admin accounts similar or identical role assignments as the synced accounts.

Remove the role assignments from the synced accounts and consider removing them from sync scope in Entra Connect entirely. Ensure that your administrators know to use the new cloud-only administrator accounts.

These cloud-only administrator accounts should use the *.onmicrosoft.com domain to mitigate possible external factors, like domain expiration, federation issues, others. To better protect these cloud-only privileged accounts implement phish resistant MFA, JIT, PAWs and other security tools/mechanisms (further explained in other sections of this guide).

Consider the implementation of emergency access accounts, typically referred to as break-glass accounts, for emergency access. These accounts should not be used on a regular basis, and like the name implies should only be used in emergencies when your default admin credentials cannot be used.

Reference

• Protecting Microsoft 365 from on-premises attacks - Microsoft Entra | Microsoft Learn
• Protect your Microsoft 365 privileged accounts
• Why use an emergency access account?