51 Privileged Access Workstation for admins
A dedicated, hardened device from which admins do all Admin Console and Cloud Console work, so a privileged session never lives on the same machine that reads mail and browses the web. On its own it is only a convention; the enforcement half is a device-bound Context-Aware Access level that only the PAW can satisfy, configured in 14 Basic Context-Aware Access (IP/geo) and 27 Device-trust CAA via MDM.
Documentation: Security best practices for administrator accounts ↗ · Protect your business with Context-Aware Access ↗
Caveats
This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.
Ongoing maintenance
- automatable: script Keep the PAW patched and its allowed-software image current.
- requires a human Quarterly: attest the PAW is still used exclusively for admin work and holds no browsing profile.
How to verify
Search the login audit log for the admin accounts and check every session originates from the PAW’s egress IP — an admin session from a daily-driver machine is the finding.
v0.0.3Preventedition All (CAA gating: Ent/Edu/Frontline Std+, Ent Essentials Plus) policy #4 · #25 ↗