Microsoft tiered model - how do we deal with end user applications which require AD authentication?

peter siffredi 41 Reputation points
2023-10-03T16:11:57.31+00:00

Hello,

We're implementing Microsoft's tiered security model based on T0, T1 and T2 security levels.

https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

Typically this model is for administrative access to infrastructure, however we have had audit requests for implementation for RBAC for end user applications that are AD integrated. We're considering giving end users T1 accounts or potentially T3 accounts so that they can perform admin tasks within specific applications\systems (e.g. the HR database or customer CRM portal).

What's the recommended organisational approach for this?

Creating T1 accounts for end users poses some challenges around being able to delegate ownership of account creation and password resets, hence we're considering creating T3 accounts so we can delegate account ownership to the service desk.

I'm looking for some advice on how real world best practices work.

Thanks

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,277 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,989 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,745 questions
0 comments No comments
{count} votes