Query on Azure Privileged Account Best Practices - including Licence assignment

Brass Contributor

Just curious as to what people's thoughts were around not assigning a mailbox (unless Global Admin), utilising AD password policies and only assigning the Azure P2 licence to AAD privileged accounts?





2 Replies


I saw quite a lot of organizations using this now a day (without Email), since 2FA can rely on other alternative, btw, please also take note in terms of security and compliance issue, say E5 is required for longer activity log retention

Hi @James_Agombar It's essential to follow best practices when managing Azure privileged accounts to ensure the security and compliance of your organization. Here are some best practices you can follow, including license assignment and mailbox management: 1- Limit the number of privileged accounts: Minimize the number of users with elevated permissions, and only grant privileges to those who require them. 2- Utilize Azure AD Privileged Identity Management (PIM): Azure AD PIM allows you to manage, control, and monitor access to important resources in your organization. Use it to enable Just-In-Time (JIT) access, provide temporary privileges, and enforce Multi-Factor Authentication (MFA) for privileged accounts. 3- Assign Azure AD P2 licenses: Assign Azure AD Premium P2 licenses only to users who need to perform privileged tasks, such as managing PIM or handling sensitive data. This can help you save costs and prevent unauthorized access. 4- Separate privileged accounts from regular user accounts: Encourage users to maintain separate accounts for privileged tasks and everyday activities. This minimizes the attack surface and prevents accidental misuse of elevated privileges. 5- Enforce Multi-Factor Authentication (MFA): Always require MFA for privileged accounts to add an extra layer of security and reduce the risk of unauthorized access. 6- Apply strong password policies: Use Azure AD password policies to enforce strong, unique passwords for privileged accounts. This helps protect against password-based attacks. 7- Limit mailbox access: Restrict mailbox access for privileged accounts to only those who need it, such as Global Administrators. This can help minimize the attack surface and reduce the risk of data exposure through email. 8- Regularly review and audit privileged access: Regularly review and audit privileged account assignments, activities, and access. This helps you detect and remediate any unauthorized access or potential misuse. 9- Implement Conditional Access policies: Use Azure AD Conditional Access to enforce policies based on user, location, device, and other factors. This helps you to manage and secure privileged access effectively. 10- Provide training and guidance: Educate privileged account users on security best practices, risks, and their responsibilities. Ensure they understand the importance of safeguarding their credentials and the potential consequences of misuse. By following these best practices, you can effectively manage and secure privileged accounts in your Azure environment.