Therefore, the current recommendation is to only allow four global admins in the tenant. But if it’s a global admin account, the hackers can take down the entire company, change all the passwords, read all the email, insert poisoned rules into everyone’s mailbox, send spam from all accounts, and replace all the recovery information so that it’s difficult to get help from Microsoft. The 34th President of the United States, Dwight Eisenhower famously stated, “The most urgent decisions are rarely the most important ones.” By contrast the most important tasks are rarely the most urgent. Cookies may be used to provide a better experience. If this isn’t an option, discuss with the GA how these passwords can be stored, if at all. When choosing a password consider meeting these basic requirements: Considering the above to be part of Office 365 Global Admin best practices, secure password managers can be employed to alleviate memory issues and typing errors. Nova’s advanced Office 365 reporting software. Quadrotech’s advanced Office 365 management software, Do not use common words in a password like Password1! The same principles apply to other cloud services like Box, Dropbox, Salesforce, and the rest.
Before we get started, there are some absolute ground rules you must stick to when managing Office 365 global admin accounts: This practice provides better transparency in audit logs and reduces the organizational risk if your user account is ever compromised. In the meantime, if you’re looking for effective ways of managing your Office 365 environment as a global admin, Nova’s advanced Office 365 reporting software allows you to monitor the usage of your whole environment, with comprehensive dashboarding and customizable reports to give you insights into the specific areas you’re looking for. Required fields are marked *. These are best practices for Office 365 security.

Only emergency access accounts should be set to permanently active. How true that is for protecting the most important accounts in your tenant!
Forever a tech enthusiast, his focus is developing critical skills to solve complex problems and helping others, ‘get stuff done!’ His pleasure is speaking at events, digging deep into technical topics, and sharing learned knowledge with fellow engineers. Another important aspect is managing IT staff turnover and GA lifecycle management. Set up two dedicated global admin accounts without licenses, with different secondary email addresses. At least one account should be excluded from all Conditional Access policies. Save my name, email, and website in this browser for the next time I comment. This recommendation also extends to administering on-premises services such as for AD Connect servers and ADFS Servers.

In Part One of this series on Office 365 Global Admin Best Practices, we looked at the essential checklist and security best practices. Use the principle of “least privilege” to assign limited admin roles to users. You should also consider protecting other environments such as Dev and Test. Many of the password and account recommendations from the NIST have been adopted by Microsoft and recommended to customers as part of its own guidance. It should go without saying that you shouldn’t let the browser memorize the password. In the next installment of this series, we’ll take a closer look at best practices for securing passwords, emergency access accounts, and Privileged Identity Management (PIM). With these principles in mind, you should consider the following recommendations for a deployment of PIM: The use of PIM is highly encouraged and a key tool for protecting highly privileged accounts. Thanks for this precious info. Why hasn’t this recommendation been widely adopted? Questions should also be asked about granting access to high privileged accounts: In this scenario, every organization arrives at decisions differently, some will have stricter guidelines than others, but it’s something you need to bear in mind. Would you consider them a long-term employee? Do these individuals have the required skills to be trusted with this level of access? 1. At the end of the time, the account’s permissions are turned off again. Before you decide to procrastinate because this all sounds like a lot of trouble, it’s worth taking a look at what the big kids do for security. Privileged access workstation – the Office 365 admin portal (and other admin control panels) can only be accessed from special workstations with hardened security that cannot be used for any other purpose. Conditional access – the global admin account can only access the admin controls if it is in an approved location, or if the login attempt is being made from an approved device. Here are the top 10 Office 365 best practices every Office 365 administrator should know.