Use Dedicated Accounts for AD FS Administration
AD FS servers should be managed using special accounts not shared with other systems.
Plain language
You should use special accounts just for managing AD FS servers, instead of using the same accounts for other systems. This is important because if a hacker gains access to a shared account, they could control not just the AD FS server, but other systems too, leading to a wide-scale security breach.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Microsoft AD FS servers are administered using a dedicated service account that is not used to administer other systems.
Why it matters
Without dedicated AD FS admin accounts, a breach can escalate to other critical systems, increasing the risk of widespread compromise.
Operational notes
Use a dedicated AD FS admin account only on AD FS servers; audit group membership and logons for cross-use regularly.
Implementation tips
- IT team should create dedicated accounts: Set up special user accounts specifically for AD FS administration to avoid using any existing accounts that might have other permissions. Make sure these accounts are used only for AD FS tasks.
- System owner to review user access: Regularly check who has access to the AD FS administration accounts to ensure only necessary personnel have access. Set a schedule for quarterly reviews to keep track of any changes in the team.
- HR department to inform IT of staff changes: Ensure HR notifies the IT team whenever there is a change in staff who manage AD FS so that access can be granted or revoked as soon as possible.
- IT team should enable logging: Turn on logging for AD FS administration accounts to track who accesses the system and what changes are made. Use these logs to detect any unusual behaviour quickly.
- Managers to conduct training: Organise training sessions for staff who use AD FS administration accounts to ensure they understand the importance of using these accounts correctly and securely.
Audit / evidence tips
-
Askthe list of dedicated AD FS accounts: Request the document that lists all special accounts used for AD FS administration
Goodlist will show only accounts used for AD FS and nothing else
-
Askthe access review records: Request records of the regular access reviews for AD FS accounts
Goodrecord shows these reviews happen quarterly, and all access is justified
-
Askthe staff access change log: Request the log of any changes to who can use AD FS administration accounts
Goodchange log shows timely updates in line with staff changes
-
Askusage logs: Request the logs of when and how AD FS administration accounts are used
Goodlog shows regular, expected activity and no suspicious behaviour
-
Asktraining materials: Request the materials used for training staff on AD FS account usage
Cross-framework mappings
How ISM-1949 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1949 mandates dedicated, non-reused accounts for administering AD FS servers to control and segregate privileged access | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML1.2 | ISM-1949 requires Microsoft AD FS servers to be administered using a dedicated service account that is not used to administer other systems | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1949 requires AD FS administration to occur via a dedicated account that is not used to administer other systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.