PA-02HighRecommended Secure

Use Dedicated Admin Accounts

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Administrative roles are assigned to dedicated admin accounts (e.g., admin-john@contoso.com)
2Daily work accounts do not hold privileged role assignments
3Admin accounts are cloud-only (not synced from on-premises AD)

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Requires organizational process change

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.