Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges. Create a separate admin account that’s assigned the privileges needed to perform the administrative tasks. Block the use of these administrative accounts for daily productivity tools like Microsoft Office 365 email or arbitrary web browsing.
Emergency access accounts help organizations restrict privileged access in an existing cloud environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. Organizations must limit the emergency account’s usage to only the necessary amount of time. it is important that you prevent being inadvertently locked out of your cloud tenant because you can’t sign in or activate an existing individual user’s account as an administrator. You can mitigate the impact of inadvertent lack of administrative access by creating two or more emergency access accounts in your tenant.
Turn on Azure AD Privileged Identity Management (PIM). After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory.