How to Fix: Use Dedicated Admin Accounts
Step-by-step guide to implement use dedicated admin accounts in your Microsoft 365 environment.
20-30 minutes
Estimated Time
4
Steps
high
Severity
Recommended Secure
Baseline Level
Why This Matters
When an attacker compromises a daily work account through phishing or malware, they should not gain admin access. Dedicated admin accounts limit blast radius and enable stricter controls like device requirements.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
- 3Privileged Role Administrator role
Expected Configuration
- Administrative roles are assigned to dedicated admin accounts (e.g., admin-john@contoso.com)
- Daily work accounts do not hold privileged role assignments
- Admin accounts are cloud-only (not synced from on-premises AD)
Remediation Steps
Review Current State
Assess your current privileged access configuration in Entra ID.
- •Navigate to Microsoft Entra admin center
- •Go to Identity > Roles and administrators
- •Review current role assignments
Plan Changes
Determine what changes need to be made to meet the expected configuration.
- •Identify users with excessive privileges
- •Document required role assignments
- •Plan implementation timeline
Implement Configuration
Apply the necessary changes to your Entra ID environment.
- •Configure PIM if applicable
- •Update role assignments
- •Set appropriate access reviews
Verify and Test
Confirm the changes are working as expected.
- •Run a TrueConfig scan to verify compliance
- •Test user access with affected accounts
- •Document the changes made
Related Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial