Synced Admin Accounts

Learn about synced admin accounts and how to mitigate this risk.

When privileged admin accounts are synced with admin or regular accounts across Azure AD and Active Directory, it can create a potential security loophole. An attacker that gains unauthorized access to one of the synced accounts can then more easily access the other, which may enable the attacker to access to critical systems and perform malicious activities. Syncing admin accounts with personal Microsoft accounts is a particularly risky configuration.

Best practices:

  • Do not sync highly-authorized Azure AD or Active Directory admin accounts with admin or non-admin accounts. Azure AD admins who must conduct on-premises administrative tasks should use separate non-synced Active Directory accounts.

  • Configure separate accounts for administrative functions that are distinct from user accounts.

  • Do not permit the sharing of accounts between users.

  • Use only cloud native accounts for Azure AD roles. Avoid using on-premises synced accounts for Azure AD role assignments.

  • Use Azure AD Connect filtering to control the accounts that are synchronized from your on-premises directory to Azure AD to reduce the number of synced admin accounts.