I'm currently managing a hybrid setup with both on-prem Active Directory (AD) and Azure AD. We previously linked our on-prem domain admins to Azure as Global Admins, but we've since decided to separate those roles. Now, we've created new Global Admin accounts that are specific to the cloud. However, quite a few of the old on-prem domain admin accounts are still synced with Azure and currently hold Global Admin privileges. Before we stop syncing these accounts (which will make them exclusive to our on-prem AD), I need to ensure I identify all locations where these old accounts may be referenced in the system. Does anyone have tips or steps for cleaning up this situation? Thanks!
1 Answer
Honestly, just stopping the use of those global/domain admin accounts might not resolve everything. You should really look into role-based access control (RBAC) instead of relying on those admin accounts.
That's a good point! But what's the alternative for managing the permissions effectively? Is Azure AD Privileged Identity Management (PIM) a solid option?