🛡️ Essential 8 Guide

Privileged users use separate privileged and unprivileged operating environments

Summary

Deploy a Conditional Access policy that blocks cloud administrators unless they are from a trusted known IP address range, enforcing separation of privileged administration from untrusted networks. This approach reduces the attack surface by ensuring privileged access is only possible from approved, monitored environments and supports MFA/device-compliance requirements for privileged tasks.¹²

Privileged Identity Management (PIM) complements the separation of environments by eliminating permanently active privileged role assignments. Roles are granted as eligible only, activated on demand with a maximum duration (e.g., 1 hour), and optionally require approval. This enforces just-in-time (JIT) privileged access from the dedicated privileged environment.³

Emergency (break-glass) accounts must be maintained as cloud-only Global Administrator accounts excluded from all Conditional Access policies. Two accounts should exist, each protected by a different FIDO2 hardware security key, with sign-in alerts configured in Entra ID to trigger an alert on any break-glass sign-in.¹

Design Decision

[!NOTE] The Conditional Access Policy will be deployed to block cloud administrators unless they are from a trusted known IP address range. The separation of privileged operating environments described in ISM-1380 will be reinforced by the policy.

Prerequisites

• Permissions/Roles
  • Separate admin accounts for administration and end-user activities. ¹
  • Minimize the number of Tier 0 privileged administrators. ¹
  • Plan for emergency access accounts and related exemptions from Conditional Access as appropriate. [^7]
• Dependencies
  • Privileged Access Workstation (PAW) foundation
    • Dedicated PAW OU structure and PAW-specific groups and policies
    • Hardware from a trusted supplier that meets security requirements
    • Windows 11 Enterprise Edition
    • Remote Server Administration Tools for Windows 11
    • Windows 11 Security Baselines
    • On-intranet WSUS server for PAW updates
    • Domain join to the appropriate administrative OU These prerequisites are described in the legacy PAW guidance. ⁴
  • Identity and device management for PAWs and privileged access
    • Devices used for privileged administration must be enrolled in Microsoft Intune / Entra ID (and Defender for Endpoint), and be device compliant
    • Multi-factor authentication (MFA) and device compliance are enforced as part of Conditional Access
    • If using Intune to implement Administrator protection, deploy a Settings Catalog policy under Local Policies Security Options These requirements are supported by privileged access deployment guidance. ^{1 2}
  • Just-in-Time privileged access and elevated session controls
    • Enable Just-in-Time privileges for Azure resources using Privileged Identity Management (PIM), with activation workflows and time-bound durations
    • Consider using Azure Bastion for Just-In-Time VM access These capabilities are described in Privileged Access guidance. ³
  • Conditional Access posture for privileged administration
    • Deploy Conditional Access to require device compliance, MFA, and a trusted device for cloud admin portal access This posture is described in privileged access deployment guidance. ¹
  • Architectural alignment and zero-trust guidance
    • Align with secure administration blueprint guidance to separate privileged environments and enforce zero-trust through Intune and Conditional Access This guidance is described in ASD Blueprint and related best-practice sources. ^{5 2}

Implementation Steps

Conditional Access policy for trusted IP range for cloud administrators

1. Identify cloud administrator accounts to scope the policy to privileged sign-ins. ¹

2. Define a trusted IP range as a named location to restrict sign-ins to cloud admin portals. ²

3. Create and enforce a Conditional Access policy that blocks sign-ins from locations outside the trusted IP range and requires MFA and device compliance for access to cloud management interfaces. ¹

   • Require MFA for all sign-ins to cloud management portals. ¹

   • Require device to be compliant (or a dedicated privileged workstation) as a gating condition. ¹

4. Create an emergency break-glass exception group to bypass the policy in critical situations. ¹

5. Deploy the policy using the recommended tooling (Intune Settings Catalog approach or Azure AD CA) and apply to the defined group of cloud administrators. ¹

6. Validate implementation and monitor sign-in activity and policy enforcement. Verify that sign-ins from trusted IP addresses succeed and from non-trusted IPs are blocked; review Conditional Access logs for sign-in events and alerts. ¹

[!NOTE] Emergency break-glass accounts should be excluded from the policy and managed separately to ensure access remains possible in extreme cases. ¹

Just-in-time privileged access with PIM

Where permanent administrative role assignments exist, replace them with eligible assignments in Microsoft Entra Privileged Identity Management:³

1. Enable PIM for Entra ID directory roles and Azure resource roles via the PIM wizard.
2. Assign administrators as eligible (not permanently active) for all privileged roles.
3. Configure activation settings:
   • Maximum activation duration: 1 hour (or shortest operationally feasible).
   • Require MFA (or phishing-resistant MFA for ML3) at activation.
   • Require approval for high-impact roles (e.g., Global Administrator).
4. Enable activation notifications to designated approvers.
5. Keep zero permanently active assignments, except for break-glass accounts.

Emergency (break-glass) account configuration

Emergency accounts must be available even if the primary identity infrastructure fails:¹

1. Create two cloud-only accounts using the .onmicrosoft.com domain (no on-premises sync, no federation dependency).
2. Assign each account a permanent active Global Administrator role in PIM.
3. Protect each account with a different FIDO2 security key (store keys in physically separate secure locations).
4. Exclude both accounts from all Conditional Access policies.
5. Disable password expiration and use a 16+ character random password, split across two secure storage locations.
6. Configure an Entra ID sign-in alert (and Azure Monitor alert) to trigger immediately on any break-glass sign-in.
7. Test break-glass access during BC/DR drills and reset passwords after each test.

[!NOTE] Monitoring of break-glass account sign-ins must be in place before the accounts are created. A sign-in from these accounts is a high-severity event and should trigger an immediate investigation response.

Additional related information

• ASD Blueprint provides service provisioning considerations for secure admin onboarding and zero-trust alignment with Intune and conditional access ASD Blueprint: Service provisioning considerations

• Privileged access: Strategy describes strategic initiatives for end-to-end session security, identity governance, and rapid threat response for privileged access Privileged access: Strategy

• Administrator protection (preview — rollout deferred) provides options to enable admin elevation controls via Intune Settings Catalog, CSP policies, Group Policy, and Windows Security Settings Administrator protection (preview)

• Best practices for all isolation architectures offers guidance on conditional access policies and zero-trust design for isolated admin environments Best practices for all isolation architectures

• Essential Eight restrict administrative privileges describes separation of privileged and unprivileged environments and least-privilege administration concepts Essential Eight restrict administrative privileges

• Security rapid modernization plan outlines admin workstations deployment and rapid modernization to reduce privileged access risk Security rapid modernization plan

• Manage emergency access accounts in Microsoft Entra ID covers the configuration, testing, and monitoring of break-glass accounts Manage emergency access accounts in Microsoft Entra ID

• Plan a Privileged Identity Management deployment covers eligible assignment configuration, activation settings, approval workflows, and auditing requirements Plan a Privileged Identity Management deployment