best practice for admin accounts in hybrid environment

we have an on prem infrastructure alongside O365 in a hybrid
currently we have our IT staff using just 1 account which has elevated privileges
They use this for logging onto their own machines and for providing support to end users and maintaining servers.
this account is synced to Azure AD
In Azure AD they have service rights for the cloud apps
To leave this more secure im thinking of reducing these accounts to a standard account and creating a new high privilege account for local infrastructure and cloud infrastructure.
What is best practice?
Should i go with

1 local standard account synced to 365 using a license
1 local admin account
1 cloud admin account shouldn't need a license for administration


1 local standard account synced to 365
1 local admin account synced to 365 using a license
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Best practice is to use separate, unprivileged accounts for your day to day work, and only use admin accounts when needed. Then again, Office 365 offers the Azure Privileged Identity Management Service, which can elevate a regular account as needed:

It does require Azure Premium license though.
btanExec ConsultantCommented:
Adopt the least privileged principle. Separated admin account for the same administrator also means more inconvenience as need to have different password to manage etc, but it is more secure in event one is compromised (provided it does not shared same password and proper review is done regularly across these account).
  1. Separate admin privileges from day-to-day accounts
  2. Deploy Multi-factor Authentication
  3. Deploy Azure AD Privileged Identity Management (PIM)
  4. Use admin account and password synchronization for your convenience
  5. Don’t use Microsoft Accounts
  6. Don’t federate admin accounts
  7. Assign admin accounts a separate UPN Suffix on-premises and/or in Azure AD

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.