CIS.M365.1.1.1 - (L1) Ensure Administrative accounts are cloud-only
Overview
1.1.1 (L1) Ensure Administrative accounts are cloud-only
Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep administrative accounts separate from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes. Ensure administrative accounts are not On-premises sync enabled.
Rationale
In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice versa.
Impact
Administrative users will need to utilize login/logout functionality to switch accounts when performing administrative tasks, which means they will not benefit from SSO. This will require a migration process from the 'daily driver' account to a dedicated admin account. Once the new admin account is created, permission sets should be migrated from the 'daily driver' account to the new admin account. This includes both M365 and Azure RBAC roles. Failure to migrate Azure RBAC roles could prevent an admin from seeing their subscriptions/resources while using their admin account.
Remediation action:
Remediation will require first identifying the privileged accounts that are synced from onpremises and then creating a new cloud-only account for that user. Once a replacement account is established, the hybrid account should have its role reduced to that of a nonprivileged user or removed depending on the need.
Related links
- Microsoft 365 Admin Center
- Add users and assign licenses in Microsoft 365
- Step 2. Protect your Microsoft 365 privileged accounts
- 9. Use cloud native accounts for Microsoft Entra roles
- What is Microsoft Entra?
- Microsoft Entra built-in roles
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 20
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.1.1.1 |
| Severity | High |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisCloudAdmin |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.1.1.1, L1 |
Source
- Pester test:
tests/cis/Test-MtCisCloudAdmin.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisCloudAdmin.ps1