CA-06: Restrict Admin Access to Privileged Access Workstations

Frequently asked questions about implementing and managing the CA-06 security control in Microsoft 365 and Entra ID.

Q
What is CA-06 (Restrict Admin Access to Privileged Access Workstations)?
A

CA-06 is a security control that privileged access workstations (paws) are hardened devices dedicated to admin tasks. by restricting admin portals to paws, you prevent credential theft from compromised daily-use devices. It requires that administrative portal access is restricted to designated paw devices and paw devices have enhanced security controls (credential guard, applocker), break-glass procedures exist for paw unavailability.

Related controls:CA-06
Q
Why is Restrict Admin Access to Privileged Access Workstations important for Microsoft 365 security?
A

Privileged Access Workstations (PAWs) are hardened devices dedicated to admin tasks. By restricting admin portals to PAWs, you prevent credential theft from compromised daily-use devices.

Related controls:CA-06
Q
How do I implement CA-06 in my tenant?
A

CA-06 requires manual implementation. Requires dedicated PAW infrastructure and device filters

Related controls:CA-06
Q
What license do I need for CA-06?
A

This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.

Related controls:CA-06
Q
Which security baseline includes CA-06?
A

CA-06 is included in the Maximum Security baseline (Level 3). This level is designed for high-security environments and regulated industries.

Related controls:CA-06

5

Questions

1

Related Controls

Categorized

Related Resources

CA-06 Control Reference

Detailed documentation and implementation guidance

Conditional Access Controls

All controls in the Conditional Access category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →