Skip to main content

Use cloud-only privileged accounts

Implementation Effort: Medium – IT teams need to identify all privileged accounts synced from Active Directory, create equivalent cloud-only accounts, assign roles, and update procedures to ensure only the new accounts are used.

User Impact: Low – Admins will need to switch to using new cloud-only accounts, but daily tasks remain the same.

Overview

Using cloud-only accounts for privileged access in Microsoft Entra helps reduce risk by separating critical admin identities from on-premises infrastructure. Threat actors often target synced accounts through on-prem attacks, so shifting to cloud-only accounts helps enforce the Zero Trust principle of "Assume breach" by isolating privileged access from compromised domains or federation failures. It also supports "Verify explicitly" because these accounts can use stronger identity protections available in Microsoft Entra, such as phish-resistant MFA, device trust, and Conditional Access policies that are harder to enforce on synced identities.

To start, organizations must identify all privileged accounts synced from Active Directory. For each, they should create a new cloud-only admin account using a secure domain like *.onmicrosoft.com, assign similar roles, and configure protections like Just-In-Time access and Privileged Access Workstations (PAWs). Once verified, the privileged roles should be removed from the synced accounts, and those accounts should ideally be excluded from sync altogether.

Cloud-only admin accounts must be tightly controlled and used only for privileged operations. Organizations should also create break-glass accounts that are cloud-only and excluded from Conditional Access to maintain emergency access if all other admin paths fail. Without moving to cloud-only accounts, the organization remains exposed to lateral movement from on-prem infrastructure and risks tied to sync failures, domain expiration, or federation issues.

Reference