Office 365 Global Admin Best Practices – Part Two

Download the full Office 365 Global Admin Best Practices guide PDF here. 

In Part One of this series on Office 365 Global Admin Best Practices, we looked at the essential checklist and security best practices. In the second installment, we’ll take a closer look at passwords, Privileged Identity Management, Privileged Access Workstation, Managed Devices, and Approved Locations, and more.

Use a unique password

Microsoft reports that they see over 10 million usernames or password pair attacks every day. This highlights how a vulnerable password on your GA could lead to a major security breach. When choosing a password consider meeting these basic requirements:

• Maintain a 12-character long complex password
• Do not use common words in a password like Password1! (or l33t speak)
• Do not re-use the passwords for any other service

Store passwords securely

Considering the above to be part of Office 365 Global Admin best practices, secure password managers can be employed to alleviate memory issues and typing errors.

If this isn’t an option, discuss with the GA how these passwords can be stored, if at all. It may make more sense to choose a less complex password that can be easily remembered and set the password to never expire.

Reconsider the password expiry

Microsoft no longer recommends enforcing a password expiry for users. Instead, passwords should be changed when indicators of compromise are detected. So, the question here is do the same recommendations apply for Global Administrator accounts?

The NIST recommendations we previously discussed also apply to your administrative accounts. Microsoft doesn’t impose this as a recommendation for GA accounts, allowing organizations to review their current password policies and adapt them to whatever best suits their needs without contradicting the guidance.

Remember users and administrators are human too, so sadly passwords are often stored in insecure places or transmitted in an insecure way that is vulnerable to attack. A security framework must be based on more than simply password expiry.

Create at least two emergency access accounts

It’s important to prevent being accidentally locked out of your own tenant, which could happen for a number of reasons. You may experience issues with MFA which impact GA accounts and administrating Office 365, butit’s critical to resolve any issues with administrative access rapidly. Here, access to an already created emergency or “break glass” accounts is needed.

Creating the GA emergency access accounts may appear to be relatively simple process but more is involved than simply creating accounts and forgetting they ever existed.

These emergency access accounts should meet the following requirements:

• Create cloud-only accounts that use the *.onmicrosoft.com domain.
• Use strong passwords. At least 16 characters long and randomly generated.
• Set password, credential or device authentication to never expire.
• Assign the Global Administrator role to the accounts and if using PIM set the assignment to permanent.
• Should not be associated with any individual user in the organization. For example, avoid setting up MFA on the account to an employee supplied phone or hardware token that travel with staff.
• At least one account should use a different MFA provider to your other administrative accounts. If using Azure MFA license the accounts and enable the use of custom controls.
• At least one account should be excluded from all Conditional Access policies.
• At least one account should be excluded Identity Protection User & Sign-in risk policies.
• Enable sign-in logs alerting that trigger email and SMS alerts.
• Separate the password into two or three parts and store these in secure fireproof safes that are in separate locations.
• Complete the account validation procedure every 90 days, or when there is a change in IT staff or Azure AD subscriptions.

Privileged Identity Management (PIM)

As indicated by the acronym, PIM allows management of privileged accounts. To understand how this works, let’s consider a prison. In a prison everyone who enters and leaves must be logged and recorded. The guard doesn’t carry all the keys with them at once, and to access certain areas two guards are required. PIM in many ways utilizes these same methodologies: least privilege access and just-in-time (JIT) access. The logic follows that administrators should have only the level of access needed to complete the required task and this access is granted for a limited duration of time.

With these principles in mind, you should consider the following recommendations for a deployment of PIM:

• Only emergency access accounts should be set to permanently active.
• Eligible global administrators should not be allowed to self-approve.
• Require MFA and an Incident ticket.
• Choose a low activation duration time. Microsoft defaults to 1 hour but it is able to be modified.
• Where possible use granular administrative roles instead of the Global Administrator role.
• Choose approvers who are the most knowledgeable about the specific role and its frequent users.
• Balance usage patterns and approver requests. Sending too many approval requests on a regular basis may affect level of scrutiny completed by approvers. Such behaviour could allow requests by bad actors to be approved.
• Enable recurring access reviews every quarterly for all Azure AD roles.
• Review all audit events on a weekly basis and export the audit events monthly.
• Automatically store the audit events for a longer period of time by using Azure log monitoring.
• Regularly review the list of PIM alerts and fix the issues. Immediately respond to alerts marked with a high severity.
• Add a secondary email address for all accounts with privileged role assignments.

The use of PIM is highly encouraged and a key tool for protecting highly privileged accounts. Beware though that each administrative account will require an Azure AD Premium P2 license.

Privileged Access Workstation (PAW)

Unlike Robocop, IT Administrators are humans and only one small mistake can grant an attacker control of the tenant. Using separate administrative accounts is enhanced by a privileged access workstation (PAW) because it takes this step even further by creating an isolated physical workstation or laptop where administrative functions can be performed.

So, why is it important?

Using an everyday workstation for completing administrative functions significantly increases the risk of compromise. For example, an attacker may simply wait until the account is elevated and MFA is completed. At this point, the attacker can simply hijack the authenticated session to the tenant. Microsoft recommends the use of PAWs for many administrative roles in Office 365 including the global administrator. This recommendation also extends to administering on-premises services such as for AD Connect servers and ADFS Servers.

Why hasn’t this recommendation been widely adopted? Without a doubt, it is an investment of time and resources to complete such a project and organizations need to understand the risk/rewards for such an investment. Post COVID-19, hindsight says acting before a crisis is always better than waiting for one to happen and the same is true for implementing PAWs in your environment.

To set up a PAW, watch this video and review and follow detailed instructions listed here.

Managed Devices and Approved Locations

Finally, the last weapons in your arsenal – Managed Devices and Approved locations. Conditional access restricts the locations where Global Administrators can login. In a typical scenario for this, you would force administrators to only make changes from the physical office of the company or remotely via VPN to the office. For the attacker this adds another barrier for them to breach before any attempts to compromise the global administrator accounts can be completed.

A caution: if the internet connection is lost for all your approved locations you will be unable to login and will need to resort to using your emergency access accounts to gain access to the tenant. Alternatively, you can choose to select countries where the administrative accounts can be used allowing more freedom of movement by administrators.

If you are utilizing Microsoft Endpoint Manager for your devices you can also consider applying conditional access polices to force global administrators to connect from compliant devices. Once more, this forces the enrolment of a device into MEM before any attempts on the account can be made.

Invest to Protect Dev and Test Environments

You should also consider protecting other environments such as Dev and Test. These environments often contain configuration settings or connectors to production. This can be all the information an attacker needs to break into your production environment. Completing all the necessary steps to secure all your tenants is not to be overlooked or dismissed.

Final thoughts

The 34th President of the United States, Dwight Eisenhower famously stated, “The most urgent decisions are rarely the most important ones.” By contrast the most important tasks are rarely the most urgent. How true that is for protecting the most important accounts in your tenant!

Please be aware that guidance from Microsoft can change from the time of writing. We recommend you take the time to review Microsoft’s current guidance and make your own decisions in relation to your highly privileged accounts.

Following these Office 365 Global Admin best practices will help keep your environment safe.

Many thanks to Andres Canello for his review and assistance for this article.

Nova

Quadrotech’s advanced Office 365 management software enables you to gain deeper operational control and visibility of your environment, while removing a significant load from IT through sophisticated delegation and policy control to simplify tenant (or multi-tenant) management.

The solution allows Global Admins to securely delegate certain Office 365 actions to unprivileged users within the tenant, streamlining administrative tasks via role-based access control, allowing IT departments to focus on more pressing issues.

Nova also provides effective Office 365 license management, offering clear visibility into usage, allowing you to immediately identify where you need to drive adoption, where cost savings can be made, and where you can re-allocate unused licenses instead of continually buying new ones upon request.

Nova’s advanced reporting and analytics also allow you to monitor usage of your whole environment, with comprehensive dashboarding and customizable reports to give you insights into the specific areas you’re looking for.

Get in touch here to find out more.

Joshua Bines

Joshua is a Freelance Technical Consultant providing specialized professional services to support Office 365. Forever a tech enthusiast, his focus is developing critical skills to solve complex problems and helping others, ‘get stuff done!’ His pleasure is speaking at events, digging deep into technical topics, and sharing learned knowledge with fellow engineers.