ISM-1952 ASD Information Security Manual (ISM)

Prevent Synchronisation of Privileged Accounts

Ensure privileged accounts aren't synced between Microsoft AD DS and Entra ID for security reasons.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Admin accounts Privileged access

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Entra Connect

Official control statement

Privileged user accounts are not synchronised between Microsoft AD DS and Microsoft Entra ID.

Source: ASD Information Security Manual (ISM)

Plain language

This control means you should not let accounts with special access or powers be automatically copied between your local computer systems and Microsoft's cloud systems. Doing so is important because if someone gains unauthorised access to these powerful accounts, they could cause significant harm by accessing sensitive information or disrupting operations.

Why it matters

Unauthorised sync of privileged accounts between AD DS and Entra ID could lead to compromised credentials and elevated risks of data breaches or operational disruptions.

Operational notes

Regularly audit account sync configurations to ensure privileged accounts remain unsynced, protecting against potential security cross-contamination.

Implementation tips

The IT team should identify which user accounts have special privileges. Do this by reviewing all user accounts in the local Microsoft Active Directory to see which ones have administrator access or other special roles.
The IT manager should ensure that these privileged accounts are not set to synchronise with the Microsoft Entra ID. This can be achieved by configuring the synchronisation settings to exclude these accounts.
System administrators should create a policy to regularly review the list of privileged accounts. Set a schedule for these reviews, such as quarterly, and document any changes or updates.
The IT team should provide training to staff on the importance of this control. They can organise a workshop or briefing session to explain the risks involved with syncing privileged accounts.
Managers should perform regular checks to ensure this control is being followed. This can be done by reviewing synchronisation logs from the Entra Connect tool to verify they exclude privileged accounts.

Audit / evidence tips

Ask: the list of all privileged user accounts: Request this list from the IT team to ensure there is a clear understanding of who has special access

Good: is a clearly defined and current list of privileged accounts
Ask: synchronisation settings documentation: Request documentation showing how the synchronisation between AD DS and Entra ID is configured

Good: shows specific configurations that prevent the synchronisation of privileged accounts
Ask: to see recent synchronisation logs: These logs should be available from the Entra Connect tool

Good: is logs that only show non-privileged accounts are being synced
Ask: the policy on privileged account management: Request the written policy document regarding the management of privileged accounts. Look to confirm there are clear steps for managing and reviewing these accounts

Good: is a detailed, current policy that addresses the exclusion from syncing
Ask: records of training sessions: Request evidence that staff received training regarding the importance and operation of this control

Good: is documentation showing who attended and the content covered

Cross-framework mappings

How ISM-1952 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.2	ISM-1952 requires that privileged user accounts are not synchronised between Microsoft AD DS and Microsoft Entra ID to reduce the risk of...

E8

Control	Notes	Details
Supports (1)
E8-RA-ML1.2	ISM-1952 requires organisations to prevent synchronisation of privileged accounts between AD DS and Entra ID to avoid creating highly pri...