Prevent Synchronisation of Privileged Accounts
Ensure privileged accounts aren't synced between Microsoft AD DS and Entra ID for security reasons.
Plain language
This control means you should not let accounts with special access or powers be automatically copied between your local computer systems and Microsoft's cloud systems. Doing so is important because if someone gains unauthorised access to these powerful accounts, they could cause significant harm by accessing sensitive information or disrupting operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningTopic
Microsoft Entra ConnectOfficial control statement
Privileged user accounts are not synchronised between Microsoft AD DS and Microsoft Entra ID.
Why it matters
Unauthorised sync of privileged accounts between AD DS and Entra ID could lead to compromised credentials and elevated risks of data breaches or operational disruptions.
Operational notes
Regularly audit account sync configurations to ensure privileged accounts remain unsynced, protecting against potential security cross-contamination.
Implementation tips
- The IT team should identify which user accounts have special privileges. Do this by reviewing all user accounts in the local Microsoft Active Directory to see which ones have administrator access or other special roles.
- The IT manager should ensure that these privileged accounts are not set to synchronise with the Microsoft Entra ID. This can be achieved by configuring the synchronisation settings to exclude these accounts.
- System administrators should create a policy to regularly review the list of privileged accounts. Set a schedule for these reviews, such as quarterly, and document any changes or updates.
- The IT team should provide training to staff on the importance of this control. They can organise a workshop or briefing session to explain the risks involved with syncing privileged accounts.
- Managers should perform regular checks to ensure this control is being followed. This can be done by reviewing synchronisation logs from the Entra Connect tool to verify they exclude privileged accounts.
Audit / evidence tips
- AskThe list of all privileged user accounts: Request this list from the IT team to ensure there is a clear understanding of who has special access GoodIs a clearly defined and current list of privileged accounts
- AskSynchronisation settings documentation: Request documentation showing how the synchronisation between AD DS and Entra ID is configured GoodShows specific configurations that prevent the synchronisation of privileged accounts
- AskTo see recent synchronisation logs: These logs should be available from the Entra Connect tool GoodIs logs that only show non-privileged accounts are being synced
- AskThe policy on privileged account management: Request the written policy document regarding the management of privileged accounts. Look to confirm there are clear steps for managing and reviewing these accounts GoodIs a detailed, current policy that addresses the exclusion from syncing
- AskRecords of training sessions: Request evidence that staff received training regarding the importance and operation of this control GoodIs documentation showing who attended and the content covered
Cross-framework mappings
How ISM-1952 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1952 requires that privileged user accounts are not synchronised between Microsoft AD DS and Microsoft Entra ID to reduce the risk of... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.2 | ISM-1952 requires organisations to prevent synchronisation of privileged accounts between AD DS and Entra ID to avoid creating highly pri... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.