PA-02: Use Dedicated Admin Accounts
Overview
This guide walks you through separating administrative privilege from everyday work by giving administrators dedicated admin accounts. Privileged roles are assigned only to these dedicated accounts, while daily-work accounts (email, browsing, Teams) carry no admin rights.
Why This Matters: When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.
Control ID: PA-02 Category: Privileged Access Baseline Level: Level 1 (Recommended Secure) Severity: High License Required: None Remediation: Advisory / manual (requires an organizational process change)
Expected State
- Administrative roles are assigned to dedicated admin accounts (e.g.,
adm-john@contoso.com) - Daily work accounts do not hold privileged role assignments
- Admin accounts are cloud-only (not synced from on-premises AD)
Prerequisites
| Requirement | Details |
|---|---|
| Role Required | Global Administrator or Privileged Role Administrator |
| License Required | None |
| Access | Microsoft Entra admin center |
| Process | Buy-in for a two-account model for staff who perform admin work |
Time Estimate
Initial rollout: 1-2 hours plus ongoing onboarding
- Define naming convention: 15 minutes
- Create dedicated admin accounts: 5-10 minutes per admin
- Reassign roles and strip daily accounts: 10-15 minutes per admin
- Documentation: 20 minutes
Why a Separate Admin Account
A single account used for both email and administration is a single point of compromise. If that account is phished, the attacker inherits every privileged role attached to it. Splitting the identity means:
- Daily activity (email, web, documents) happens on an account with no privilege
- Administration happens on a hardened, cloud-only account you can protect with device compliance, phishing-resistant MFA, and PIM
- A compromise of the daily account does not hand over tenant control
Step-by-Step Instructions
Step 1: Define a Naming Convention
Pick a clear, consistent prefix so dedicated admin accounts are obvious in logs and reviews. Common patterns:
| Pattern | Example |
|---|---|
adm-firstname.lastname | adm-john.doe@contoso.com |
admin-firstname | admin-john@contoso.com |
a-firstname.lastname | a-john.doe@contoso.com |
Document the chosen convention so every future admin account follows it.
Step 2: Create Dedicated Admin Accounts (Cloud-Only)
For each person who performs administrative work:
- Navigate to entra.microsoft.com
- Go to Identity > Users > All users
- Click + New user > Create new user
- Configure the account:
| Field | Recommended Value |
|---|---|
| User principal name | Follows your convention (e.g., adm-john.doe@contoso.com) |
| Display name | ADM - John Doe (clearly identifiable) |
| Password | Strong, unique password (16+ characters) |
| Account enabled | Yes |
Critical: Create these accounts cloud-only in Entra ID. Do not sync them from on-premises Active Directory. An on-premises compromise should not reach your cloud admin accounts.
- Leave properties like department and job title empty
- Click Review + create > Create
Step 3: Assign Roles to the Dedicated Admin Account
- Go to Identity > Roles & administrators > Roles
- Select the privileged role the person needs (for example User Administrator, Exchange Administrator, or Global Administrator)
- Click + Add assignments
- Select the dedicated admin account (never the daily-work account)
- Assign the role
Grant only the roles the person actually needs. Combine this with just-in-time activation where possible (see PA-04 below).
Step 4: Remove Privileged Roles from Daily-Work Accounts
Now strip administrative roles from each person's everyday account:
- Go to Identity > Users > All users
- Open the person's daily-work account (e.g.,
john.doe@contoso.com) - Click Assigned roles
- Remove every privileged role assignment
- Confirm the daily account holds no directory roles
The daily account should now be an ordinary user with no admin capability.
Step 5: Document Admin Account Ownership
Maintain a register so every dedicated admin account is accountable:
DEDICATED ADMIN ACCOUNT REGISTER
================================
Admin Account | Owner | Roles | Created
adm-john.doe@contoso.com | John Doe | User Administrator | 2026-07-01
adm-jane.roe@contoso.com | Jane Roe | Exchange Administrator | 2026-07-01
Verification Checklist
- Every administrator has a dedicated admin account following the naming convention
- Privileged roles are assigned only to dedicated admin accounts
- Daily-work accounts hold no privileged role assignments
- All dedicated admin accounts are cloud-only (not synced from on-premises AD)
- Admin account ownership is documented
Troubleshooting
"Admins find switching accounts inconvenient"
This friction is intentional and small compared with the blast radius of a compromised combined account. Encourage a separate browser profile for admin work, and pair the admin account with SSO-friendly controls. The convenience cost is minutes; the security benefit is containment of a full-tenant compromise.
"Some admin accounts are synced from on-premises AD"
Recreate them as cloud-only accounts in Entra ID, reassign the roles to the new cloud-only account, and remove the roles from the synced account. On-premises identities should not carry cloud administrative privilege.
"A daily account still needs occasional admin access"
It should not. Route that person's admin work through their dedicated admin account. If they only need a narrow capability occasionally, assign a least-privilege role to the admin account and consider just-in-time activation via PIM (PA-04).
Cost Considerations
| Component | Cost Impact |
|---|---|
| Dedicated admin accounts | Free - separate accounts used only for administration do not need paid M365 app licenses |
| This control | Free - uses the built-in Microsoft Entra admin center |
Dedicated admin accounts typically need no productivity licenses because they are not used for email or Office apps.
Related Controls
- PA-01: Limit Global Administrators to 2-4 - Right-size how many admins exist before assigning dedicated accounts
- PA-03: Configure Emergency Access Accounts - Break-glass accounts are a special case of dedicated, cloud-only admin accounts
- PA-04: Require PIM for All Privileged Roles - Add just-in-time activation on top of dedicated accounts
- DV-02: Require Compliant Devices for Global Admins - Dedicated admin accounts make device requirements practical to enforce