Shared Admin Accounts and Cyber Essentials: Why They Fail and How to Fix Them

‍‌‌​​​​‌‌‌​‌‌​‌​​​‌​​​‌​‌‌‌​​‌​‌​​‌‌​‌‌​‌‌‌‌‌‌‌​​​​​‌‌‌​​‌‌​​‌​​​‍Shared admin accounts are one of the most common Cyber Essentials failures. The requirement is clear: every user must have their own individual account, with no shared logins and no "[email protected]" that three people know the password to.

It sounds simple enough to fix on paper. In practice, shared admin accounts have accumulated in most businesses over years. The account that was set up when the company started. The generic IT account the managed service provider uses. The "office" account that runs the shared printer. Cleaning them up takes more thought than you'd expect.

What the requirement says

The Cyber Essentials user access control requirement covers several specific points about accounts:

• Every user must have their own individual account
• Administrative accounts must only be used for administrative tasks
• Users must authenticate before they're granted access to devices and services
• Accounts must be removed or disabled when no longer required
• MFA must be enabled where available (mandatory on cloud services)

Shared accounts violate the first point. If two people use the same account, you can't track who did what, you can't revoke one person's access without affecting the other, and you can't enforce individual MFA.

Why businesses end up with shared admin accounts

Nobody sets out to have shared admin accounts, but they accumulate over time.

The original setup account. When someone set up your Microsoft 365 tenant or your website hosting, they created an admin account. That account has been shared between the business owner, the IT person, and possibly the web developer ever since. Nobody created individual admin accounts because the original one worked fine.

The MSP account. Your managed service provider uses a shared account to manage your systems. It might be called "[email protected]" or "netsec-admin" or something similar. Multiple technicians at the MSP know the credentials.

The generic service account. "[email protected]" that manages the shared printer. "[email protected]" that runs the accounting software. "[email protected]" that has admin access to the website CMS. These accounts get shared because they belong to a function, not a person.

The "just in case" account. An admin account that was set up so someone could log in if the main admin was unavailable. The password was written on a sticky note, shared with two people, and never changed.

All of these fail the Cyber Essentials assessment. The assessor will ask you to list your admin accounts, explain who uses each one, and confirm that each account is used by one person only.

How to fix shared admin accounts

Step 1: Audit every admin account

Go through every system, platform, and service your organisation uses. For each one, list:

• Every account with admin or elevated privileges
• Who knows the credentials
• What the account is used for
• Whether it's used by one person or shared

Be thorough with this audit, and check Microsoft 365 (or Google Workspace), your website CMS, your accounting software, your CRM, your router admin panels, your printer management, any server admin accounts, and any other platform where someone has elevated access.

Step 2: Create individual admin accounts

For every person who needs admin access, create their own individual admin account. Use a naming convention that makes it obvious it's an admin account: "[email protected]" or "[email protected]".

Each admin account should:

• Be named to identify the individual user
• Have its own unique password
• Have MFA enabled
• Be separate from that person's daily account

The person should use their normal account ("[email protected]") for email, browsing, and daily work. They switch to their admin account only when performing admin tasks. This limits the damage if either account is compromised.

Step 3: Handle service accounts properly

Some accounts genuinely aren't tied to a person. The account that runs automated backups, or the service account that connects two systems together. These are service accounts, not user accounts.

Service accounts are acceptable in the CE framework, but they need to be:

• Documented (what the account does and why it exists)
• Secured with a strong unique password
• Not used interactively by humans
• Reviewed regularly to confirm they're still needed

The key distinction: a service account runs an automated process, while a shared account is used by multiple humans. The first is acceptable with proper controls, but the second isn't.

Step 4: Handle MSP access

If your managed service provider accesses your systems, each technician at the MSP who has access should have their own individual account. A shared "msp-admin" account that five different technicians use is a shared admin account and fails the assessment.

Most modern MSP tools support individual technician accounts with audit logging. If your MSP is using a shared account, ask them to set up individual accounts. If they can't or won't, that's a conversation worth having about whether they're the right provider.

Step 5: Disable what you don't need

Once individual accounts are in place, disable the old shared accounts. Don't just change the password and leave them active; disable them entirely.

If a shared account was the original global admin for a service, transfer the global admin role to an individual account first, then disable the shared one. Check that no automated processes depend on the shared account before you disable it.

Step 6: Document everything

The assessor will ask about your admin accounts. Have a list ready:

Account	Platform	Used by	Purpose	MFA
admin-daniel	Microsoft 365	Daniel Phillips	Global admin	Yes
admin-sarah	Microsoft 365	Sarah Jones	User admin	Yes
backup-svc	Azure	Automated	Backup service	N/A (service account)

This table takes 10 minutes to create and saves significant time during the assessment.

The MFA requirement for admin accounts

Every admin account on a cloud service must have MFA enabled. Under Danzell, this is expected to be an automatic failure criterion with no assessor discretion.

For local admin accounts (admin access on a device or an on-premise server), MFA should be enabled where the system supports it, and most modern systems do. Windows supports MFA through various methods, and Linux supports it through PAM modules. If a system genuinely doesn't support MFA for admin access, document that fact.

Admin accounts are the highest-value targets for attackers. MFA on admin accounts isn't just a CE requirement. It's the single most effective thing you can do to protect your systems from compromise.

Break-glass accounts

An emergency access account (sometimes called a break-glass account) is an admin account that's only used when all other admin accounts are locked out, serving as a safety net for worst-case scenarios.

Break-glass accounts are acceptable for CE purposes, but they need careful handling:

• Strong, unique password (at least 16 characters)
• Password stored securely (sealed envelope in a safe, encrypted password manager)
• MFA enabled but with a separate, securely stored recovery method
• Usage monitored and alerted
• Never used for routine administration

If you have a break-glass account, document it in your admin account list and explain its purpose to the assessor.

Common assessment questions about admin accounts

"How many admin accounts should we have?" As few as you need. Only people who genuinely need admin access should have admin accounts. For a small business, two or three is typical. For larger organisations, it scales with the number of people who perform admin tasks.

"Can our IT director use their normal account for admin tasks?" No. Admin tasks should use a separate admin account. Using a daily account for admin work means that if the daily account is compromised through a phishing email, the attacker gains admin access.

"What if we have a contractor who needs temporary admin access?" Create an individual account for the contractor, set an expiry date, and disable it when their work is complete. Don't give them access to a shared account "just for now."

"Do we need to track admin account usage?" The CE requirements don't mandate audit logging of admin actions, but it's good practice and it helps you demonstrate to the assessor that admin accounts are properly managed. Most cloud platforms log admin activity by default.

"What about the account we use for social media?" Under Danzell, social media accounts managed with business credentials are in scope. If your company LinkedIn page is managed from a shared "[email protected]" account, that needs to be an individual account with MFA. If multiple people manage the page, each person needs their own login to the social media platform's business tools.

What assessors actually look for

The assessment doesn't just ask whether you have shared accounts; it checks the evidence behind your answers. An assessor reviewing your Microsoft 365 tenant can see every account, when it was created, who last logged in, and whether MFA is active. If there's an account called "[email protected]" with sign-ins from three different IP addresses in the same week, that's clearly shared. The audit trail makes it obvious to any assessor.

For CE Plus, the assessor may ask to see your admin account list during the technical audit. Having the table ready (account name, platform, assigned user, purpose, MFA status) makes this quick. Not having it means the assessor has to dig through each platform manually, which takes longer and often surfaces things you'd rather have fixed first.

One pattern that comes up repeatedly: the original admin account created when the Microsoft 365 tenant was set up years ago. It's usually called something generic like "admin@" or "office@". Three people know the password and nobody remembers which one set it up. That account needs splitting into individual accounts before the assessment, and the original needs disabling.

When your IT provider is the problem

This is more common than most businesses realise. Your managed service provider accesses your systems through admin accounts. If they're using a shared "[email protected]" account that five different engineers log into, your assessment has a shared admin account problem, and it's not even your account. (in line with the April 2025 segmentation advisory).

The fix is straightforward but requires your MSP to cooperate. Each engineer who accesses your systems needs their own named account with MFA. Modern remote management tools like ConnectWise, Datto, and NinjaOne all support individual technician accounts with full audit trails. If your MSP can't provide individual accounts, that's a red flag beyond just CE compliance.

Ask your MSP before the assessment: "How many people at your end can access our systems, and does each one have their own account?" If the answer involves hesitation or the phrase "we use a shared account for efficiency," you've found a problem that needs fixing.

## What I see in assessments

The shared admin account problem is almost universal in businesses under 50 staff. In over 800 certifications, I'd estimate 70% of first-time applicants have at least one shared admin account they haven't thought about.

The pattern is predictable across organisations of all sizes. The original Microsoft 365 tenant was set up by someone who's since left. The admin credentials got passed to the current IT person, who shared them with the director "just in case." Nobody created proper individual admin accounts because the shared one worked and nobody knew it was a compliance issue.

The conversation usually goes like this: I ask who has admin access, and they name one or two people. Then I ask about the original setup account, and there's a silence. Then someone says "oh, that old admin account? Yeah, I think a few of us know the password."

Fixing it takes about 30 minutes for most small businesses. Create the individual accounts, transfer the global admin role, disable the shared one. The technical work itself is trivial to complete. The hard part is remembering to do it and being honest about which accounts are actually shared.

The other thing I check during assessments: accounts for people who've left. "Does anyone who's left the company still have an active account?" The answer is supposed to be no. But when we check the admin console, there's usually at least one leaver's account still active, sometimes with admin privileges still attached. That's a user access control failure independent of the shared account issue, but they often go together.

The quick fix

If you're reading this a week before your assessment and you've got shared admin accounts everywhere, here's the priority order. Create individual admin accounts on your main cloud platform first (Microsoft 365 or Google Workspace). Enable MFA on each one, then disable the shared accounts, and then work through your other services. The cloud platform admin accounts are the ones the assessor will check first, and they're the highest risk if compromised.

---

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote to get started.

---

Related articles

• How Do You Know If You're Ready for Cyber Essentials?
• Cyber Essentials FAQ: The Questions Businesses Actually Ask
• Cyber Essentials 30-Day Preparation Plan
• Danzell Readiness Checklist: Are You Ready for CE v3.3?

netsec-canary-bcca83c3e8b0.