Control: 1.1.1 Ensure Administrative accounts are cloud-only
Description
Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep administrative accounts separate from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes.
Ensure administrative accounts are not On-premises sync enabled.
Remediation
Remediation will require first identifying the privileged accounts that are synced from onpremises and then creating a new cloud-only account for that user. Once a replacement account is established, the hybrid account should have its role reduced to that of a nonprivileged user or removed depending on the need.
Default Value
N/A
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_1_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_1_1_1 --shareSQL
This control uses a named query:
with role_members as ( select distinct jsonb_array_elements_text(member_ids) as member_id, title as role_title from azuread_directory_role where title like '%Administrator%' or title = 'Global Reader')select u.user_principal_name as resource, case when u.on_premises_sync_enabled then 'alarm' else 'ok' end as status, case when u.on_premises_sync_enabled then u.display_name || ' is ' || rm.role_title || ' and has on-premises sync enabled.' else u.display_name || ' is ' || rm.role_title || ' and on-premises sync is disabled.' end as reasonfrom role_members rm join azuread_user u on u.id = rm.member_id;