How to Fix: Use Dedicated Admin Accounts
Step-by-step guide to implement use dedicated admin accounts in your Microsoft 365 environment.
Free baseline scan · No credit card · 5 minute setup
20-30 minutes
Estimated Time
4
Steps
high
Severity
Recommended Secure
Baseline Level
Why This Matters
When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
- 3Privileged Role Administrator role
Expected Configuration
- Administrative roles are assigned to dedicated admin accounts (e.g., admin-john@contoso.com)
- Daily work accounts do not hold privileged role assignments
- Admin accounts are cloud-only (not synced from on-premises AD)
Remediation Steps
Review Current State
Assess your current privileged access configuration in Entra ID.
- •Navigate to Microsoft Entra admin center
- •Go to Identity > Roles and administrators
- •Review current role assignments
Plan Changes
Determine what changes need to be made to meet the expected configuration.
- •Identify users with excessive privileges
- •Document required role assignments
- •Plan implementation timeline
Implement Configuration
Apply the necessary changes to your Entra ID environment.
- •Configure PIM if applicable
- •Update role assignments
- •Set appropriate access reviews
Verify and Test
Confirm the changes are working as expected.
- •Run a TrueConfig scan to verify compliance
- •Test user access with affected accounts
- •Document the changes made
Related Resources
Automate Your Security Configuration
TrueConfig scans your Microsoft 365 environment on a schedule you control and, with safety gates, can fix configuration drift automatically. Start your free trial today.
Start Free Trial