Configure Service Accounts as Managed Service Accounts
Ensure service accounts are created as Managed Service Accounts for improved security.
Plain language
Using Managed Service Accounts (MSAs) for service accounts means that these accounts are better protected and managed automatically. If this isn't done, your organisation might leave backdoor access open to critical systems, potentially leading to data breaches or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Service accounts are created as group Managed Service Accounts.
Why it matters
Without group Managed Service Accounts, service credentials are harder to protect, increasing risk of account takeover, unauthorised access and data breaches.
Operational notes
Use group Managed Service Accounts for services, remove unused gMSAs, and regularly review which hosts and services are permitted to use each gMSA.
Implementation tips
- IT team should review existing service accounts to identify which ones can be converted into Managed Service Accounts. Start with accounts that have high access privileges and schedule a plan to transition them to MSAs using available tools or by consulting software manuals.
- System administrators should configure new service accounts as Managed Service Accounts by default. This can be done by using Windows Active Directory features that support creating MSAs, which help automate password management and provide inherent security benefits.
- IT managers should educate their teams on the benefits of using MSAs. Conduct a workshop to explain how MSAs reduce administrative overhead and improve security, using clear examples and scenarios relevant to your organisation.
- Security officers should ensure compliance with ACSC (Australian Cyber Security Centre) guidelines on service account management. Cross-reference your setup with the Essential Eight framework, focussing on the benefits of automating password changes through MSAs.
Audit / evidence tips
- AskA list of all service accounts in use: Request documentation detailing which service accounts exist and their purpose GoodShows a clear list with MSAs implemented wherever applicable
- AskTo see system logs showing MSA activity: Request logs that document service account behaviour over time GoodWill feature regular, automated password updates without anomalies
- AskDocumentation on MSA policy: Obtain written policies on how service accounts are managed within the organisation GoodPolicy will include clear roles, responsibilities, and procedures for configuring MSAs
- AskTraining logs or records: Request records showing when staff received training on MSAs GoodRecord includes up-to-date training sessions attended by relevant staff members
- AskEvidence of compliance checks: Request reports or minutes from meetings where security compliance, including MSA usage, was reviewed GoodWill show documented checklists or action items ensuring MSAs are standard practice
Cross-framework mappings
How ISM-1619 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.16 | ISM-1619 requires service accounts to be created specifically as group Managed Service Accounts (gMSAs) to improve security of service id... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.2 | ISM-1619 addresses secure use of service identities by requiring service accounts to be implemented as gMSAs, reducing unmanaged privileg... | |
| Annex A 8.9 | ISM-1619 mandates a secure configuration pattern for Windows service identities by using gMSAs for service accounts | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1619 requires service accounts to be created as gMSAs so their credentials are system-managed rather than manually set and reused | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.