Microsoft tiered model - how do we deal with end user applications which require AD authentication?
Hello,
We're implementing Microsoft's tiered security model based on T0, T1 and T2 security levels.
Typically this model is for administrative access to infrastructure, however we have had audit requests for implementation for RBAC for end user applications that are AD integrated. We're considering giving end users T1 accounts or potentially T3 accounts so that they can perform admin tasks within specific applications\systems (e.g. the HR database or customer CRM portal).
What's the recommended organisational approach for this?
Creating T1 accounts for end users poses some challenges around being able to delegate ownership of account creation and password resets, hence we're considering creating T3 accounts so we can delegate account ownership to the service desk.
I'm looking for some advice on how real world best practices work.
Thanks