Office 365 Global Admin Best Practices – Part One

You can download the full Office 365 Global Admin Best Practices guide PDF here. 

In the wake of COVID-19, there has been an international surge in Office 365 user adoption. Organizations have largely seen positive outcomes from increased utilization, effectively facilitating home working and remote collaboration. However, ‘Office 365 Global Admin best practices’ has become one of the most popular Microsoft-related search terms on the internet, as GAs look to get to grips with their new, expanded environments.

Unfortunately, the Cybersecurity and Infrastructure Security Agency (CISA) recently raised concerns that during the haste to deploy cloud services there have been oversights in security configurations, stating: “CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.”

Highly privileged accounts in any environment require eagle-eyed scrutiny. As an Office 365 tenant owner, you must take active steps to secure and mitigate security risks for all Global Administrator (GA) accounts. In this article, we’ll take a deeper dive into the best practices you should consider when securing environments, and delegating access and control.

To get started, here are my recommended best practices for managing GA accounts:

Checklist of Office 365 Global Admin Best Practices

Dedicated Office 365 Global Admin (GA) accounts

For IT admins which need high-level administrative actions, you should create a separate, dedicated account. Before we get started, there are some absolute ground rules you must stick to when managing Office 365 global admin accounts:

• Do NOT assign the Global Admin (GA) role to everyday user accounts
• Do NOT use a shared or generic account between your IT team

This practice provides better transparency in audit logs and reduces the organizational risk if your user account is ever compromised. Another important aspect is managing IT staff turnover and GA lifecycle management. Disabling an account is fairly simple, but this step can be missed or overlooked.

To reduce the risk of a loss of access, you may want to create these accounts on a non-federated domain. Federated domains are also supported for GA accounts, but you may find using the default *.onmicrosoft.com domain as a good option for highly privileged accounts.

Create two to four dedicated GA accounts

It’s never good to have a single point of failure in any environment, so a minimum of two accounts is wise. Beware though, a global admin has almost unlimited access in the tenant, and with the rise of insider attacks, these extra accounts pose a security threat. Therefore, the current recommendation is to only allow four global admins in the tenant.

Questions should also be asked about granting access to high privileged accounts:

• Do these individuals have the required skills to be trusted with this level of access?
• Do they exhibit reckless behavior?
• Would you consider them a long-term employee?

In this scenario, every organization arrives at decisions differently, some will have stricter guidelines than others, but it’s something you need to bear in mind.

For the administrators that fall over the ‘four-limit rule’, the current recommendation is to assign individual administrative roles to these users, enabling them to complete their required support activities, or alternatively enable Privileged Identity Management, which we’ll discuss later in this guide.

Service Principals and Automation Scripts

Instead of having your sign-in for scripts and applications set to full privileged users, a best practice is to use Azure Service Principals wherever possible and apply the principle of least privilege. Employing this model grants access to what is needed, and therefore reduces the scope from attackers.

Where Azure Service Principals can’t be deployed, you may consider converting your scripts to call the Graph API directly or, at a minimum, use a more restrictive administrative role instead of a GA.

Enforce Multi-Factor Authentication

At an Ignite event, Microsoft stated that MFA reduces the risk of compromise by 99.9%. So without a doubt Admins should be required to use MFA to sign in. Currently, Microsoft recommends the following authentication methods:

• The Microsoft Authenticator app
• A smart card (virtual or physical)
• A phone call
• A randomly generated verification code sent through a text message

Another recommended option is the use of passwordless authentication, which is considered more convenient and secure. In this scenario, global admins are created with a long and unknown password, and also use two other factors such as a FIDO key and the Authenticator app.

Information routed over a publicly switched telephone network is not always secure. The authentication methods of phone calls and SMS have been downgraded by the NIST* to a level of RESTRICTED, stating “Some authenticators become less reliable… including phone and SMS,” and they encourage each organization to “assess, understand, and accept the risk associated with that authenticator.”

Microsoft may change the recommended factor types for GA accounts in the future, but until then, consider following the advice provided by the NIST. Here, you can either disable phone and SMS authentication methods or understand the risk involved for highly privileged accounts.

You are currently unable to disable MFA factor types for specific users, thus if you’re unwilling to disable these factors for the whole tenant you may prefer to speak to each privileged account holder and request that they do not use the phone and SMS.

*National Institute of Standards and Technology (NIST) Is a U.S. Government Department. Many of the password and account recommendations from the NIST have been adopted by Microsoft and recommended to customers as part of its own guidance. 

In the next installment of this series, we’ll take a closer look at best practices for securing passwords, emergency access accounts, and Privileged Identity Management (PIM). In the meantime, if you’re looking for effective ways of managing your Office 365 environment as a global admin, Nova’s advanced Office 365 reporting software allows you to monitor the usage of your whole environment, with comprehensive dashboarding and customizable reports to give you insights into the specific areas you’re looking for. Get in touch here to find out more.

Joshua Bines

Joshua is a Freelance Technical Consultant providing specialized professional services to support Office 365. Forever a tech enthusiast, his focus is developing critical skills to solve complex problems and helping others, ‘get stuff done!’ His pleasure is speaking at events, digging deep into technical topics, and sharing learned knowledge with fellow engineers.