E8 Guide | Restrict Administrative Privileges

Administrative accounts are a prime target for attackers, as they can be used to compromise entire systems and networks. Restricting the use of admin privileges reduces the risk of unauthorised changes, limits the spread of malicious activity, and supports stronger security posture. The ACSC recommends separating admin and standard accounts, limiting admin access, and preventing unauthorised use. Devicie supports this strategy by providing policies to enforce role separation and limit local admin access.

What's Covered

Devicie supports the following controls related to administrative privilege restriction:

Enforcing separate accounts for administrative and standard user activities.
Preventing unprivileged accounts from logging into privileged environments.
Removing unnecessary local administrator rights from user accounts.
Providing Intune-delivered policies to enforce administrative restrictions.

What’s Not Covered

The following areas are outside Devicie’s scope and remain the responsibility of the customer:

Identifying which users require privileged accounts.
Assigning or approving privileged roles in Microsoft Entra ID or other identity providers.
Conducting regular reviews of privileged access and maintaining authorisation records.
Monitoring privileged account activity — Devicie does not provide real-time privilege use alerts or SIEM integration.

Potential Impact and Callouts

When implementing this Essential Eight mitigation strategy, it's important to understand the impacts on your environment and end users so that you can better plan your change processes.

Removing admin rights may block the installation or configuration of applications unless approved and packaged centrally.
User training may be required to adjust to working without local admin rights.
Careful planning is needed to avoid service disruptions when changing admin access controls.

Devicie Delivered Controls

ML1	ML2	ML3
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.	Administrative activities are conducted through jump servers.	Credential Guard functionality is enabled.
Privileged users use separate privileged and unprivileged operating environments.	Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed.	Just-in-time administration is used for administering systems and applications.
Unprivileged accounts cannot logon to privileged operating environments.	Privileged access events are centrally logged.	Local Security Authority protection functionality is enabled.
	Privileged account and group management events are centrally logged.	Memory integrity functionality is enabled.
	Privileged operating environments are not virtualised within unprivileged operating environments.	Remote Credential Guard functionality is enabled.
		Secure Admin Workstations are used in the performance of administrative activities.

Customer Responsibility

ML1	ML2	ML3
Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.	Privileged access to systems and applications is disabled after 45 days of inactivity.	Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.
Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.	Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.
Privileged users are assigned a dedicated privileged account to be used solely for duties requiring privileged access.
Requests for privileged access to systems, applications and data repositories are validated when first requested.

💡 Tip: Use the Devicie Essential Eight report to view all controls broken down by strategy, maturity level and responsibility.