Administrative accounts have elevated access to systems. They can install software, modify configurations, access all files, and in many cases export or delete data at scale. Attackers target privileged accounts because compromising one provides immediate access to everything that account can touch.
The Core Requirement
Users should not perform standard daily activities — email, web browsing, document editing — using an account with administrative privileges. A separate, purpose-specific account should be used for administrative tasks only. This separation limits what an attacker can do with a phished or stolen credential from a standard workflow.
What Each Maturity Level Requires
Level One: requests for privileged access are validated, accounts are used only for tasks requiring privilege, and privileged users do not use those accounts for email and internet browsing. Level Two: privileged accounts are managed and reviewed regularly, just-in-time access is used where possible, and administrative activities are logged. Level Three: privileged access workstations (PAWs) are used for all administrative activity — physically or logically isolated devices used only for privileged tasks.
Common Implementation Mistakes
Creating a named admin account per person but allowing them to use it as their primary daily account defeats the purpose. Giving IT service providers shared administrative credentials with no individual accountability makes audit impossible and revocation difficult. Not reviewing privileged account membership regularly means accounts accumulate privileges over time.
How does this apply to cloud and Microsoft 365 administration?
Microsoft 365 global administrator accounts should not be the same accounts used for daily work. Global admin should be a break-glass account used rarely. For routine administration, use delegated roles with only the permissions required for the task — Exchange admin, SharePoint admin, Intune admin — rather than granting global admin to every IT team member.
