You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/service-accounts-govern-on-premises.md
+8-12Lines changed: 8 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,7 +45,7 @@ When you create service accounts, consider the information in the following tabl
45
45
| Ownership| Ensure there's an account owner who requests and assumes responsibility |
46
46
| Scope| Define the scope, and anticipate usage duration|
47
47
| Purpose| Create service accounts for one purpose |
48
-
| Permissions | Apply the principle of least permission. To do so:<li>Don't assign permissions to built-in groups, such as administrators<li>Remove local machine permissions, where feasible<li>Tailor access, and use AD delegation for directory access<li>Use granular access permissions<li>Set account expiration and location restrictions on user-based service accounts |
48
+
| Permissions | Apply the principle of least permission:<li>Don't assign permissions to built-in groups, such as administrators<li>Remove local machine permissions, where feasible<li>Tailor access, and use AD delegation for directory access<li>Use granular access permissions<li>Set account expiration and location restrictions on user-based service accounts |
49
49
| Monitor and audit use| Monitor sign-in data, and ensure it matches the intended usage. Set alerts for anomalous usage. |
50
50
51
51
### User account restrictions
@@ -146,23 +146,19 @@ Consider the following restrictions, although some might not be relevant to your
146
146
Schedule regular service account reviews, especially those classified Medium and High Risk. Reviews can include:
147
147
148
148
* Owner attestation of the need for the account, with justification of permissions and scopes
149
-
* Privacy and security team reviews, that include upstream and downstream dependencies
149
+
* Privacy and security team reviews that include upstream and downstream dependencies
150
150
* Audit data review
151
-
* Ensure it's used for its stated purpose
151
+
* Ensure the account is used for its stated purpose
152
152
153
153
### Deprovision service accounts
154
154
155
-
In your deprovisioning process, first remove permissions and monitoring, and then remove the account, if appropriate.
155
+
Deprovision service accounts at the following junctures:
156
156
157
-
You deprovision service accounts when:
157
+
* Retirement of the script or application for which the service account was created
158
+
* Retirement of the script or application function, for which the service account was used
159
+
* Replacement of the service account for another
158
160
159
-
* The script or application that the service account was created for is retired.
160
-
161
-
* The function within the script or application, which the service account is used for (for example, access to a specific resource), is retired.
162
-
163
-
* The service account has been replaced with a different service account.
164
-
165
-
After you've removed all permissions, remove the account by doing the following:
161
+
When deprovisioning, first remove permissions and monitoring, and then remove the account, if needed. To remove the account:
166
162
167
163
1. When the associated application or script is deprovisioned, monitor the sign-ins and resource access for the associated service accounts to be sure that they're not being used in another process. If you're sure it's no longer needed, go to next step.
0 commit comments