Forum Discussion

ErikVet's avatar
ErikVet
Copper Contributor
Feb 14, 2020
Solved

Best Practive for Admin Accounts with ADFS / AAD - OnPremise ones or Cloud based

Hi,   i just wanted to know from a technical standpoint if there are any disadvantages from using synced accounts (of course specials accounts) and asign them admin roles in the cloud or should you...
  • Cian Allner's avatar
    Feb 14, 2020

    ErikVet The environments I have worked in, administrator accounts have tended to be synced accounts, the point about lateral movement is a good one though.  There is nothing that a synced account can't do that a cloud account for admin and visa versa in a practical matter. 

     

    This is a really good article on creating a resilient access control management strategy with Azure AD.  This is more if you start implementing Conditional Access and avoiding user or admin lockout with a set of recommendations.  It does include emergency access break glass accounts, outlined in its own article, as you alluded to here is Microsoft's recommendation:

     

    "Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment."

     

    Plenty more general best practices and here that you may have seen already.  This is Microsoft's advice for Office 365 and setting up dedicated admin accounts only to be used when global administrator access is required and using other administration roles for user accounts.

Resources