Views:

Learn about synced admin accounts and how to mitigate the risk.

When privileged admin accounts are synced with admin or regular accounts across Microsoft Entra ID and Active Directory, it can create a potential security loophole. An attacker that gains unauthorized access to one of the synced accounts can then more easily access the other, which may enable the attacker to access to critical systems and perform malicious activities. Syncing admin accounts with personal Microsoft accounts is a particularly risky configuration.
Best practices:
  • Do not sync highly-authorized Microsoft Entra ID or Active Directory admin accounts with admin or non-admin accounts. Microsoft Entra ID admins who must conduct on-premises administrative tasks should use separate non-synced Active Directory accounts. For more information, see Microsoft's guidance on securing on-premises Active Directory accounts.
  • Configure separate accounts for administrative functions that are distinct from user accounts.
  • Do not permit the sharing of accounts between users.
  • Use only cloud native accounts for Microsoft Entra ID roles. Avoid using on-premises synced accounts for Microsoft Entra ID role assignments.
  • Use Microsoft Entra ID Connect Sync to control the accounts that are synchronized from your on-premises directory to Microsoft Entra ID to reduce the number of synced admin accounts. For more infomration, see Microsoft's guide on configuring Connect Sync.