Hello,
We sync our Active Directory (2003 functional level) accounts from on premise to Azure AD.
On premise, we use role separation: standard user accounts for email, etc (i.e. joe.bloggs) and admin accounts for admin tasks (i.e. admin.bloggs). The "admin." accounts have elevated privileges (including domain admin on premise).
We sync the standard accounts to Azure AD and where appropriate the admin accounts. W then give the "admin." account elevated privileges in Azure (including global admin if appropriate).
Is this best practice/a security risk?
I wondering whether we should have 3 levels of account: standard user, on premise admin and separate credentials again for Azure permissions. We don't sync passwords into Azure (all authentication occurs on premise).
Thanks
IT Support/Everything