SOLVED

Best Practive for Admin Accounts with ADFS / AAD - OnPremise ones or Cloud based

%3CLINGO-SUB%20id%3D%22lingo-sub-1173408%22%20slang%3D%22en-US%22%3EBest%20Practive%20for%20Admin%20Accounts%20with%20ADFS%20%2F%20AAD%20-%20OnPremise%20ones%20or%20Cloud%20based%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173408%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20just%20wanted%20to%20know%20from%20a%20technical%20standpoint%20if%20there%20are%20any%20disadvantages%20from%20using%20synced%20accounts%20(of%20course%20specials%20accounts)%20and%20asign%20them%20admin%20roles%20in%20the%20cloud%20or%20should%20you%20always%20choose%20cloud-only%20users%20for%20admin%20purposes.%20Yes%20I%20know%20there%20should%20be%20a%20cloud%20admin%20without%20MFA%20for%20%22Just%20in%20case%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20asking%20this%20if%20we%20could%20run%20into%20any%20problems%20later%20in%20the%20whole%20MS%20cloud%20environment.%20e.g.%20for%20some%20tasks%20you%20need%20a%20cloud%20only%20user.%20For%20example%20I%20remember%20that%20for%20specific%20use%20cases%20you%20have%20to%20use%20Cloud%20Only%20Groups%20in%20the%20Dynamics%20area.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20documentation%20around%20this%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thx%3C%2FP%3E%3CP%3EErik%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20the%20any%20special%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1173408%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173421%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practive%20for%20Admin%20Accounts%20with%20ADFS%20%2F%20AAD%20-%20OnPremise%20ones%20or%20Cloud%20based%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173421%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F248724%22%20target%3D%22_blank%22%3E%40ErikVet%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20isn't%20anything%20that%20a%20cloud%20only%20user%20can't%20do%20compared%20to%20a%20sync'ed%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20recommend%20using%20cloud%20only%20admin%20accounts%20to%20avoid%20lateral%20movement%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173619%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practive%20for%20Admin%20Accounts%20with%20ADFS%20%2F%20AAD%20-%20OnPremise%20ones%20or%20Cloud%20based%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173619%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F248724%22%20target%3D%22_blank%22%3E%40ErikVet%3C%2FA%3E%26nbsp%3BThe%20environments%20I%20have%20worked%20in%2C%20administrator%20accounts%20have%20tended%20to%20be%20synced%20accounts%2C%20the%20point%20about%20lateral%20movement%20is%20a%20good%20one%20though.%26nbsp%3B%20There%20is%20nothing%20that%20a%20synced%20account%20can't%20do%20that%20a%20cloud%20account%20for%20admin%20and%20visa%20versa%20in%20a%20practical%20matter.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20really%20good%20article%20on%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-resilient-controls%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecreating%20a%20resilient%20access%20control%20management%20strategy%20with%20Azure%20AD%3C%2FA%3E.%26nbsp%3B%20This%20is%20more%20if%20you%20start%20implementing%20Conditional%20Access%20and%20avoiding%20user%20or%20admin%20lockout%20with%20a%20set%20of%20recommendations.%26nbsp%3B%20It%20does%20include%20emergency%20access%20break%20glass%20accounts%2C%20outlined%20in%20its%20own%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-emergency-access%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Earticle%3C%2FA%3E%2C%20as%20you%20alluded%20to%20here%20is%20Microsoft's%20recommendation%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3ECreate%20two%20or%20more%20emergency%20access%20accounts.%20These%20accounts%20should%20be%20cloud-only%20accounts%20that%20use%20the%20*.onmicrosoft.com%20domain%20and%20that%20are%20not%20federated%20or%20synchronized%20from%20an%20on-premises%20environment.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlenty%20more%20general%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-admin-roles-secure%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ebest%20practices%3C%2FA%3E%26nbsp%3Band%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Ffundamentals%2Fidentity-management-best-practices%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20that%20you%20may%20have%20seen%20already.%26nbsp%3B%20This%20is%20Microsoft's%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Fprotect-your-global-administrator-accounts%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eadvice%3C%2FA%3E%20for%20Office%20365%20and%20setting%20up%20dedicated%20admin%20accounts%20only%20to%20be%20used%20when%20global%20administrator%20access%20is%20required%20and%20using%20other%20administration%20roles%20for%20user%20accounts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173643%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practive%20for%20Admin%20Accounts%20with%20ADFS%20%2F%20AAD%20-%20OnPremise%20ones%20or%20Cloud%20based%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173643%22%20slang%3D%22en-US%22%3EWe%20often%20use%20dedicated%20Cloud%20Only%20accounts%20for%20admins.%20Mainly%20for%20seperating%20them%20from%20onpremises%20and%20if%20something%20really%20breakes%20in%20the%20AD%20Sync%20we%20still%20know%20we%20can%20get%20in%20using%20Cloud%20Only%20accounts.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20have%20to%20make%20sure%20you%20also%20remove%20the%20cloud%20only%20account%20when%20someone%20quits.%20I%20would%20also%20make%20sure%20that%20Passeword%20Protection%20is%20applied%20to%20on-premises%20AD.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20so%20far%20I%20have%20not%20found%20anything%20that%20doesn%E2%80%99t%20work.%20It%E2%80%99s%20if%20you%20assign%20rights%20to%20resources%20to%20onpremises%20groups.%20You%20can%E2%80%99t%20add%20a%20cloud%20user%20to%20a%20onpremises%20group%20that%20is%20synced.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1176078%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practive%20for%20Admin%20Accounts%20with%20ADFS%20%2F%20AAD%20-%20OnPremise%20ones%20or%20Cloud%20based%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176078%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F248724%22%20target%3D%22_blank%22%3E%40ErikVet%3C%2FA%3E%26nbsp%3BOk%2C%20so%20we%20are%20currently%20using%20cloud%20only%20adm%20accounts%20with%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Conditonal%20Access%20Policy%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EAzure%20MFA%20enforced%3C%2FP%3E%3C%2FLI%3E%3CLI%3ELegacy%20Protocols%20and%20Basic%20AuthN%20blocked%3C%2FLI%3E%3CLI%3Eto%20restrict%20access%20from%20On-Prem%20networks%3C%2FLI%3E%3CLI%3EWe%20will%20implement%20further%20restrictions%2Fcontrols%20as%20soon%20as%20MS%20provides%20them...%20not%20sure%20what%20I%20can%20post%20about%20this%20here.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWe%20have%20one%20emergency%20account.%3C%2FP%3E%3CP%3EWe%20using%20PIM%20to%20asign%20adm%20roles%20on%20request.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20We%20would%20love%20to%20enforce%20hybrid%20joined%20clients%20as%20well%2C%20however%20this%20currently%20brakes%20browser%20based%20administration.%20It%20seems%20that%20in%20private%20mode%20%2F%20or%20incognito%20%2C%20device%20auth%20does%20not%20work%20and%20the%20cloud%20only%20account%20gets%20blocked...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

i just wanted to know from a technical standpoint if there are any disadvantages from using synced accounts (of course specials accounts) and asign them admin roles in the cloud or should you always choose cloud-only users for admin purposes. Yes I know there should be a cloud admin without MFA for "Just in case". 

 

I'm asking this if we could run into any problems later in the whole MS cloud environment. e.g. for some tasks you need a cloud only user. For example I remember that for specific use cases you have to use Cloud Only Groups in the Dynamics area.

 

Is there any documentation around this ? 

 

Many thx

Erik

 

 

Are the any special   

 

4 Replies
Highlighted

@ErikVet 

There isn't anything that a cloud only user can't do compared to a sync'ed user.

 

I recommend using cloud only admin accounts to avoid lateral movement though.

Highlighted
Best Response confirmed by ErikVet (Occasional Contributor)
Solution

@ErikVet The environments I have worked in, administrator accounts have tended to be synced accounts, the point about lateral movement is a good one though.  There is nothing that a synced account can't do that a cloud account for admin and visa versa in a practical matter. 

 

This is a really good article on creating a resilient access control management strategy with Azure AD.  This is more if you start implementing Conditional Access and avoiding user or admin lockout with a set of recommendations.  It does include emergency access break glass accounts, outlined in its own article, as you alluded to here is Microsoft's recommendation:

 

"Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment."

 

Plenty more general best practices and here that you may have seen already.  This is Microsoft's advice for Office 365 and setting up dedicated admin accounts only to be used when global administrator access is required and using other administration roles for user accounts.

Highlighted
We often use dedicated Cloud Only accounts for admins. Mainly for seperating them from onpremises and if something really breakes in the AD Sync we still know we can get in using Cloud Only accounts.

Just have to make sure you also remove the cloud only account when someone quits. I would also make sure that Passeword Protection is applied to on-premises AD.

But so far I have not found anything that doesn’t work. It’s if you assign rights to resources to onpremises groups. You can’t add a cloud user to a onpremises group that is synced.
Highlighted

@ErikVet Ok, so we are currently using cloud only adm accounts with

 

- Conditonal Access Policy

  • Azure MFA enforced

  • Legacy Protocols and Basic AuthN blocked
  • to restrict access from On-Prem networks
  • We will implement further restrictions/controls as soon as MS provides them... not sure what I can post about this here.

We have one emergency account.

We using PIM to asign adm roles on request.

 

Note: We would love to enforce hybrid joined clients as well, however this currently brakes browser based administration. It seems that in private mode / or incognito , device auth does not work and the cloud only account gets blocked...