Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers.

Why This Matters

When privileged users rely on accounts synced from on-premises directories or federated identity providers, a compromise of the on-premises environment can directly cascade into Azure AD. This creates a single point of failure where attackers can pivot from on-premises to cloud admin roles. Using cloud-only accounts isolates privileged access from on-premises risks, reducing blast radius and meeting zero trust principles.

What Aether365 Checks

Aether365 scans all Entra ID privileged role assignments and verifies whether the assigned users have cloud-only accounts (not synced from on-premises or federated providers). This check appears in your Aether365 dashboard under Entra ID checks with identifier CISA.MS.AAD.7.3.