CISA.MS.AAD.7.3 - Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.
Overviewβ
Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.
Rationale: Many privileged administrative users do not need unfettered access to the tenant to perform their duties. By assigning them to roles based on least privilege, the risks associated with having their accounts compromised are reduced.
Remediation action:β
- Perform the steps below for each highly privileged role.
- Review the users listed that have an OnPremisesImmutableId and have OnPremisesSyncEnabled set.
- Create a cloud only user account for that individual and remove their hybrid identity from privileged roles.
Related linksβ
- Entra admin center - Roles and administrators | All roles
- CISA 7.3 Highly Privileged User Access - MS.AAD.7.3v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.AAD.7.3 |
| Severity | High |
| Suite | CISA |
| Category | Entra ID Free |
| PowerShell test | Test-MtCisaCloudGlobalAdmin |
| Tags | CISA, CISA.MS.AAD.7.3, Entra ID Free, MS.AAD, MS.AAD.7.3 |
Sourceβ
- Pester test:
tests/cisa/entra/Test-MtCisaCloudGlobalAdmin.Tests.ps1 - PowerShell source:
powershell/public/cisa/entra/Test-MtCisaCloudGlobalAdmin.ps1