Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.
Create standard operating procedures around the use of dedicated administrative accounts. Use Azure Security Center Identity and Access Management to monitor the number of administrative accounts.
You can also enable a Just-In-Time / Just-Enough-Access by using Microsoft Entra Privileged Identity Management Privileged Roles for Microsoft Services, and Azure Resource Manager.
Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/
Agencies MUST establish a Privileged Access Management (PAM) policy.
Within the context of agency operations, the agency’s PAM policy MUST define:
a privileged account; and
Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy.
A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts. This is most conveniently contained in a Privileged Access Management (PAM) section within the agency’s security policy. A PAM policy is a fundamental component of an agency’s IT Governance.