Microsoft tiered model - how do we deal with end user applications which require AD authentication?

peter siffredi 41 Reputation points
2023-10-03T16:11:57.31+00:00

Hello,

We're implementing Microsoft's tiered security model based on T0, T1 and T2 security levels.

https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

Typically this model is for administrative access to infrastructure, however we have had audit requests for implementation for RBAC for end user applications that are AD integrated. We're considering giving end users T1 accounts or potentially T3 accounts so that they can perform admin tasks within specific applications\systems (e.g. the HR database or customer CRM portal).

What's the recommended organisational approach for this?

Creating T1 accounts for end users poses some challenges around being able to delegate ownership of account creation and password resets, hence we're considering creating T3 accounts so we can delegate account ownership to the service desk.

I'm looking for some advice on how real world best practices work.

Thanks

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.