Microsoft
MicrosoftThank you all for your comments. I agree with you 100%. This is not a replacement for PAWs or proper tiering. I would recommend PAWs for any privileged access any day of the week. This article does not supersede any advice or guidance laid out in the Securing privileged access overview | Microsoft Docs. I hoped that note would covey that, but I take your points and I will make this clearer in a revision.
This article was not meant to be a general discussion on securing privileged access, more a demonstration of this feature. But if you are going to expose privileged credentials on a normal workstation, and I still see this 10 times a day with customers, RDP or run as and banging in a DA password, then we have extra measures we need to take to at least protect that password. And we all know what they are, protected users (no more NTLM hash and enhanced Kerberos configuration), credential guard, FGPP, Kerberos hardening, smart card required for interactive logon combined with NTLM rolling in 2016 DFL etc etc. It's a feature that will not suit everyone, as rightly said in the comments, you have to expose the high priv cred on this machine, but if you are already doing it on a daily basis, least with this we can reduce that. If you are already in a hardened environment with a strong security posture, this will not be required either. In other environments, it might just be one extra line of defense.
