PA-02: Use Dedicated Admin Accounts

Overview

This guide walks you through separating administrative privilege from everyday work by giving administrators dedicated admin accounts. Privileged roles are assigned only to these dedicated accounts, while daily-work accounts (email, browsing, Teams) carry no admin rights.

Why This Matters: When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.

Control ID: PA-02 Category: Privileged Access Baseline Level: Level 1 (Recommended Secure) Severity: High License Required: None Remediation: Advisory / manual (requires an organizational process change)

Expected State

  • Administrative roles are assigned to dedicated admin accounts (e.g., adm-john@contoso.com)
  • Daily work accounts do not hold privileged role assignments
  • Admin accounts are cloud-only (not synced from on-premises AD)

Prerequisites

RequirementDetails
Role RequiredGlobal Administrator or Privileged Role Administrator
License RequiredNone
AccessMicrosoft Entra admin center
ProcessBuy-in for a two-account model for staff who perform admin work

Time Estimate

Initial rollout: 1-2 hours plus ongoing onboarding

  • Define naming convention: 15 minutes
  • Create dedicated admin accounts: 5-10 minutes per admin
  • Reassign roles and strip daily accounts: 10-15 minutes per admin
  • Documentation: 20 minutes

Why a Separate Admin Account

A single account used for both email and administration is a single point of compromise. If that account is phished, the attacker inherits every privileged role attached to it. Splitting the identity means:

  • Daily activity (email, web, documents) happens on an account with no privilege
  • Administration happens on a hardened, cloud-only account you can protect with device compliance, phishing-resistant MFA, and PIM
  • A compromise of the daily account does not hand over tenant control

Step-by-Step Instructions

Step 1: Define a Naming Convention

Pick a clear, consistent prefix so dedicated admin accounts are obvious in logs and reviews. Common patterns:

PatternExample
adm-firstname.lastnameadm-john.doe@contoso.com
admin-firstnameadmin-john@contoso.com
a-firstname.lastnamea-john.doe@contoso.com

Document the chosen convention so every future admin account follows it.

Step 2: Create Dedicated Admin Accounts (Cloud-Only)

For each person who performs administrative work:

  1. Navigate to entra.microsoft.com
  2. Go to Identity > Users > All users
  3. Click + New user > Create new user
  4. Configure the account:
FieldRecommended Value
User principal nameFollows your convention (e.g., adm-john.doe@contoso.com)
Display nameADM - John Doe (clearly identifiable)
PasswordStrong, unique password (16+ characters)
Account enabledYes

Critical: Create these accounts cloud-only in Entra ID. Do not sync them from on-premises Active Directory. An on-premises compromise should not reach your cloud admin accounts.

  1. Leave properties like department and job title empty
  2. Click Review + create > Create

Step 3: Assign Roles to the Dedicated Admin Account

  1. Go to Identity > Roles & administrators > Roles
  2. Select the privileged role the person needs (for example User Administrator, Exchange Administrator, or Global Administrator)
  3. Click + Add assignments
  4. Select the dedicated admin account (never the daily-work account)
  5. Assign the role

Grant only the roles the person actually needs. Combine this with just-in-time activation where possible (see PA-04 below).

Step 4: Remove Privileged Roles from Daily-Work Accounts

Now strip administrative roles from each person's everyday account:

  1. Go to Identity > Users > All users
  2. Open the person's daily-work account (e.g., john.doe@contoso.com)
  3. Click Assigned roles
  4. Remove every privileged role assignment
  5. Confirm the daily account holds no directory roles

The daily account should now be an ordinary user with no admin capability.

Step 5: Document Admin Account Ownership

Maintain a register so every dedicated admin account is accountable:

DEDICATED ADMIN ACCOUNT REGISTER
================================
Admin Account            | Owner        | Roles                    | Created
adm-john.doe@contoso.com | John Doe     | User Administrator       | 2026-07-01
adm-jane.roe@contoso.com | Jane Roe     | Exchange Administrator   | 2026-07-01

Verification Checklist

  • Every administrator has a dedicated admin account following the naming convention
  • Privileged roles are assigned only to dedicated admin accounts
  • Daily-work accounts hold no privileged role assignments
  • All dedicated admin accounts are cloud-only (not synced from on-premises AD)
  • Admin account ownership is documented

Troubleshooting

"Admins find switching accounts inconvenient"

This friction is intentional and small compared with the blast radius of a compromised combined account. Encourage a separate browser profile for admin work, and pair the admin account with SSO-friendly controls. The convenience cost is minutes; the security benefit is containment of a full-tenant compromise.

"Some admin accounts are synced from on-premises AD"

Recreate them as cloud-only accounts in Entra ID, reassign the roles to the new cloud-only account, and remove the roles from the synced account. On-premises identities should not carry cloud administrative privilege.

"A daily account still needs occasional admin access"

It should not. Route that person's admin work through their dedicated admin account. If they only need a narrow capability occasionally, assign a least-privilege role to the admin account and consider just-in-time activation via PIM (PA-04).

Cost Considerations

ComponentCost Impact
Dedicated admin accountsFree - separate accounts used only for administration do not need paid M365 app licenses
This controlFree - uses the built-in Microsoft Entra admin center

Dedicated admin accounts typically need no productivity licenses because they are not used for email or Office apps.

Related Controls

Additional Resources