CAF – B2.c Privileged User Management

Controlling Privileged Access

• Strict controls should be applied to privileged access for systems and services that support managed service operations.
• Privileged activities should only be carried out using dedicated admin accounts, separate from day-to-day user accounts.
• These accounts should be protected using:

  • multi-factor authentication (MFA)

  • conditional access policies

  • strong authentication through solutions such as Microsoft Entra ID, Okta or JumpCloud

Secure Administrative Devices

• Privileged access should be restricted to hardened devices such as Privileged Access Workstations (PAWs) or devices managed through Intune, Datto RMM, NinjaOne or Jamf.

• All privileged access paths (e.g. RDP, SSH, Azure Portal, hypervisor consoles) should be monitored and logged.

• Privileged roles should be segregated to ensure no single individual has end-to-end control of critical systems without oversight.

Temporary and Third-Party Privileged Access

• Temporary or time-bound privileged access should only be granted when necessary, using Just-in-Time (JIT) tools such as Microsoft PIM or Admin-by-Request.

• Third-party support access should only be enabled when required, should be time-limited, and must be closely monitored.

Reviewing Privileged Roles

• Privileged roles and access rights should be reviewed regularly.

• Updates should be applied automatically as part of the joiners, movers and leavers process.

• Access reviews should be carried out using tools such as Entra ID Access Reviews to ensure privileged rights remain appropriate.

Monitoring Privileged Activity

• All privileged activity — including system configuration changes, administrative commands and remote access — should be logged and monitored using tools such as:

  • Microsoft Defender

  • SIEM / Sentinel

  • Splunk

  • Datto

• Logs should be retained for offline review and used to support investigations and continuous improvement.