3.1.6 — Two Hats, Two Accounts

The One-Liner

If your sysadmin browses Reddit with a domain admin account, one bad click gives an attacker the keys to everything.

What It Says

Use non-privileged accounts or roles when accessing nonsecurity functions.

What It Actually Means

Simple rule: admins have two accounts.

Account 1: Regular user account. For email, web browsing, Teams, documents — everything that isn’t system administration.

Account 2: Admin account. Only used when performing admin tasks — configuring systems, managing accounts, changing security settings.

Why? If an admin clicks a phishing link while browsing with a domain admin account, the attacker gets domain admin. If they’re using their regular account, the attacker gets a standard user — annoying, but containable.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are nonsecurity functions identified?	You’ve defined which tasks don’t need elevated access
2	Do admins use non-privileged accounts for those functions?	They actually switch accounts — and you can prove it

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, least privilege procedures, system security plan, list of security functions assigned to privileged accounts, system configuration, audit logs

People they’ll talk to: Personnel defining least privilege, security staff, sysadmins

Live demos they’ll ask for: “Show me that your admin uses a separate account for email and browsing.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Are nonsecurity functions and non-privileged roles defined?”
• “How do you verify that admins only use privileged accounts for security functions?”
• “Can you show me that admin accounts are separate from daily-use accounts?”

Real-World Example

The IT manager has two Entra ID accounts: jsmith@company.com (regular) and jsmith-admin@company.com (privileged). Conditional Access policies restrict the admin account to specific admin portals only — it can’t access email, Teams, or browse the web. The regular account has no admin permissions. Audit logs show the admin account is only used for system administration tasks.

---

Where Companies Trip Up

One account for everything. Admins using their privileged account to check email, browse the web, and do admin work. Most common failure.

No enforcement. Policy says use separate accounts but nothing stops the admin from using the privileged one for everything.

Shared admin accounts. Multiple people logging in as “admin” — impossible to trace actions to individuals.

---

How to Talk About This

To a CEO or Board

Our admins have two accounts — one for everyday work, one for administration. If their everyday session is compromised, the attacker gets a regular user account, not the keys to the kingdom.

To an Engineering Team

Separate admin accounts with -admin suffix. Conditional Access restricts admin accounts to admin portals only. PIM for just-in-time elevation. Regular accounts have zero admin permissions.

---

Connected Requirements

Requirement	Why it matters here
3.1.5 — Minimum Necessary	The principle behind minimum access
3.1.7 — Log the Admin Work	Logs when admin functions are executed
3.3.2 — Trace Every Action	Tracing actions to individuals

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.6 | SPRS Weight: 1 point | POA&M Eligible: Yes