Privileged Access requirement of Cloud administrator vs O365 accounts

rkum 81 Reputation points

I m looking for the best security practise of using cloud admin accounts. We have privileged users as the subscription owners, contributors at the subscription level, resource group and resource level. Other privileged RBAC roles are key vault, storage accounts, SQL Paas services, Azure data factory contributors

To what level in the scope a cloud admin account is required to manage all the privileged access. Is it safe to assign privileged access to O365 accounts . On the other side, we need to create more than 5 admin accounts which is more than the microsoft recommended (5 roles)

we dont have the privileged access management implemented yet due to which we have to rely to security of the cloud admin account which is MFA, and continuous monitoring of admin activities.

Any advice or recommendations is highly appreciated

Ref -

Ensure separate user accounts and mail forwarding for Global Administrator accounts
Personal email accounts are regularly phished by cyber attackers, a risk that makes personal email addresses unacceptable for Global Administrator accounts. To help separate internet risks from administrative privileges, create dedicated accounts for each user with administrative privileges.

Be sure to create separate accounts for users to do Global Administrator tasks.
Make sure that your Global Administrators don't accidentally open emails or run programs with their administrator accounts.
Be sure those accounts have their email forwarded to a working mailbox.
Global Administrator (and other privileged groups) accounts should be cloud-only accounts with no ties to on-premises Active Directory.


Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. JimmySalian-2011 41,916 Reputation points


    There are lot of requirements and restrictions in your list for the admin accounts, I would definetely go for PIM solution if you want control and implement all the listed items as that way you can manage some of the requirements.

    RBAC Roles
    Conditional Access Policies
    Azure AD role assignments and delegate the role assignment Process
    Emergency Account for backup if you are restricting to 5 or less accounts - security-emergency-access

    The URL you have listed covers all the Security aspects of the environment, so I would definetely follow that to start with, also check the links - my-staff-configure

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful