Privileged Entra Account With Access To M365 Services

When you use a privileged account for daily activities like reading emails or documents from the Internet, you increase the risk of compromising that account. Threat actors frequently gain initial access into an environment through phishing documents sent via email or drive-by download attacks in web browsers. If an attacker targets an administrator using such attack methods, it could lead to severe consequences, resulting in a direct, full compromise of the Entra infrastructure, its accounts, and resources.

This Indicator of Exposure checks whether service plans (i.e., licenses) associated with Microsoft 365 applications and services are assigned to privileged accounts, when they should only be necessary for normal accounts. This detection heuristic aims to identify when administrators have only a single account instead of two separate accounts (a standard account and a privileged account). This detection method may generate false positives, such as when an administrator already has separate standard and privileged accounts with service plans assigned to both accounts. You can ignore the finding if you confirm a false positive after investigation through a provided option. However, even in such cases, using Microsoft 365 applications and services from the privileged account increases the likelihood of compromising that account, which we don't recommend.

The IoE verifies the following Microsoft 365 services:

• Exchange Online
• Microsoft 365 Apps
• Office for the Web
• SharePoint Online
• Microsoft Teams
• Skype for Business Online

This IoE considers various service plan variants for Microsoft 365 services, such as business, education, government, and others.

You must ensure that users performing administrative tasks in Entra ID have multiple types of accounts, typically two: a standard account for daily use and a separate privileged account strictly for administrative activities. You should use a standard account without privileges for risky daily Internet operations or when opening untrusted documents. You should have a separate privileged account with limited service plans, including only the necessary and required plans, to focus on administrative tasks. This follows Microsoft's guidance on separating accounts for admins, as Microsoft recommends.

To summarize, follow two remediation steps:

1. Create a separate administrator account for users with privileges such as administrators, which is the main goal in this IoE. Assign the privileges to these dedicated privileged accounts instead of their normal accounts. Use the privileged accounts only for administrative tasks. This is a common cybersecurity best practice that Microsoft recommends and national cybersecurity organizations and compliance standards mandate.
2. After separating the accounts, check that you assign limited service plans to the privileged accounts. Since these accounts should perform only administrative tasks, they do not need access to Microsoft 365 applications and services, which also helps to reduce their exposure to risks. This step makes the privileged accounts compliant with this IoE. Specifically in privileged accounts, disable service plans for Microsoft 365 applications and services not required for administrative tasks. Retain useful security licenses like Entra ID P1/P2. Depending on your organization's license such as Microsoft 365 E3/E5, disable some service plans like Exchange Online while keeping others (Entra ID P1/P2). See Microsoft's guidance on changing license assignments for a user or group in Microsoft Entra ID.

Maintaining separate standard and privileged accounts introduces other security-related considerations that you should also address:

• For password management, ensure administrators set distinct passwords for their standard and privileged accounts. Having the same password defeats the purpose of account separation, as it allows an attacker who compromises the standard account credentials to pivot to the privileged account.
• Ensure that users do not access these accounts from the same computer. Protect privileged accounts by providing a dedicated secure device reserved for privileged operations. This concept is known as "Privileged Access Workstation" (PAW) or "Privileged Access Devices." Refer to Microsoft's documentation on Securing Devices as Part of the Privileged Access Story.

Name: Privileged Entra Account With Access To M365 Services

Codename: PRIVILEGED-ENTRA-ACCOUNT-WITH-ACCESS-TO-M365-SERVICES

Severity: Medium