PA-02: Use Dedicated Admin Accounts

Frequently asked questions about implementing and managing the PA-02 security control in Microsoft 365 and Entra ID.

Q
What is PA-02 (Use Dedicated Admin Accounts)?
A

PA-02 is a security control that when an attacker compromises a daily work account through phishing or malware, they should not gain admin access. dedicated admin accounts limit blast radius and enable stricter controls like device requirements. It requires that administrative roles are assigned to dedicated admin accounts (e.g., admin-john@contoso.com) and daily work accounts do not hold privileged role assignments, admin accounts are cloud-only (not synced from on-premises ad).

Related controls:PA-02
Q
Why is Use Dedicated Admin Accounts important for Microsoft 365 security?
A

When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.

Related controls:PA-02
Q
How do I implement PA-02 in my tenant?
A

PA-02 requires manual implementation. Requires organizational process change

Related controls:PA-02
Q
What license do I need for PA-02?
A

This control can be implemented with any Microsoft 365 subscription, including free Azure AD.

Related controls:PA-02
Q
Which security baseline includes PA-02?
A

PA-02 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.

Related controls:PA-02

5

Questions

1

Related Controls

Categorized

Related Resources

PA-02 Control Reference

Detailed documentation and implementation guidance

Privileged Access Controls

All controls in the Privileged Access category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →