cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Possible to Disable ATP Controll over OnPrem Accounts

chufme
Copper Contributor

‎Mar 20 2023 09:37 AM

‎Mar 20 2023 09:37 AM

Possible to Disable ATP Controll over OnPrem Accounts

Is it possible to generally disable ATP to manage OnPrem AD Accounts?

With the move to the O365 Portal we have seen that there is the option to disable/enable accounts in the OnPrem AD which we must prevent. 

 

chufme_0-1679330081504.png

Alternativelly. Is there a way to prevent a group of accounts where this feature can be disabled? e.g. all Admin or Breakglass accounts?

 

Is there an easy way to do this?

741 Views
0 Likes
1 Reply
Reply
1 Reply
chufme

‎Mar 21 2023 07:49 AM

‎Mar 21 2023 07:49 AM

Re: Possible to Disable ATP Controll over OnPrem Accounts

I think I could solve some Parts of my question....

Action Accounts can be set in the "Settings>Identities>General>Manage action accounts" Section which will then prevent ATP to use the 'local system account'-rights to perform the operations OnPrem.
This will then force ATP to use the defined action accounts ("GMSA") to perform the actions where we can narrow down what the account can do.

But now we are still facing the challenge that a Security Admin in Azure could modify this setting (Radio button) in the Action Account section and by that gain unwanted control over OnPrem resources.
Any proposals to mitigate this?

Thanks for the feedback
0 Likes
Reply