Securely Manage and Govern Global Administrators in Office 365

Posted on Updated on by antoniomaioCategories:Administration, Governance, Security

Due to the fact that the Office 365 Global Administrator role is all powerful and has access to all Office 365 capabilities, there is good reason to ensure that all users with Global Administrator access are securely managed and governed.

At a high level, common industry standard practices are to restrict access to this role very strictly to only those individuals that require it, and to put numerous protections around accounts with this role.  There are numerous ways to do this, but the recommendations that I usually provide to Clients to protect these accounts are the following:

  • At any time, you should have a minimum of 2 and a maximum of 4 Global Administrator accounts.  This is an important practice because it can greatly reduces the attack surface for your Office 365 environment.  Typically, organizations have less than 5 Global Administrator accounts, but in some very large organizations (over 50K users) with globally dispersed administration teams, I have seen some Clients with 5 Global Admin accounts who manage these accounts well.
  • All Global Administrator accounts should have a minimum of 12-character long passwords. No exceptions. Depending on preference, 14 to 16 character long passwords may be used for these accounts.  Personally, I prefer 14 character passwords.
  • All Global Administrator accounts should have multi-factor authentication required to login.  Once again, no exceptions.  The 2nd factor of authentication should be configured to use the Microsoft Authenticator app, if possible.  This 2nd factor tends to be considered more secure than one-time passwords through SMS text messages, due to some attacks that have surfaced called ‘SIM Swap’ or ‘Port Out’ attacks. 
  • Global Administrator accounts should not be utilized to do work within SharePoint Online, OneDrive for Business, Exchange email, or Teams. They should strictly be utilized for global administrator level configurations.  You could go as far as removing Office 365 licenses for Exchange Online, SharePoint Online, Teams, Flow, PowerApps, Forms, etc. from all Global Administrator accounts.
  • Ideally a global administrator account should not have a mailbox because it opens the account up phishing attacks, password sprays, and other attacks.  If a global administrator account happens to require a mailbox for a specific purpose, then the organization should ensure that ‘mailbox auditing’ is turned on for that account.

Side Note: Mailbox Auditing should be enabled for all accounts with mailboxes anyway.  This is something that is done by default now anyway on all new user accounts with mailboxes.  However, if a global administrator account was created before summer 2018, it may not have mailbox auditing enabled and it is recommended that the organization at minimum turn it on for these accounts.

Each user that will be accessing the Global Administrator role should be a trusted individual within the organization, who is required to perform technical administrative tasks in the Office 365 environment which cannot be performed with a less privileged account.  They should be assigned a dedicated Global Administrator account, which is different from their regular Office 365 user account (one that they may use to do work like access email or documents).  The Global Administrator account should not be used for day to day work purposes. A Global Administrator account for such a trusted individual is often configured as follows:

  • The account should be specific to the person, meaning 2 individuals should not share a Global Administrator account.  This will allow the organization to audit the actions that each Global Administrator specifically performs.
  • Global Administrators should not use their individual work accounts (the accounts they use to check daily work email for example) to access global administrator capabilities in Office 365.  The day to day accounts should not be enabled with the Global Administrator role.
  • It should be named using a standard naming format, which identifies the role and the person that the account is assigned to.
  • It should only be used for the few tasks that absolutely require Global Administrator access.  These tasks often include following:
    • Add or manage domains within Office 365
    • Assign other administrative roles
    • Reset passwords for all users in bulk
    • Configure some app and security related settings within the Office 365 administration console such as:
      • Azure Rights Management
      • Globally turning on/off external sharing
      • Enable/disable/force reset of multi-factor authentication
    • There are others as well…
  • When significant configuration or tenant level settings are implemented using a Global Admin account, in a Production environment they are typically implemented as part of a formal change control process. When establishing such a process, it’s important recognize which tasks will require the formal change control process and which ones will not – for example, a Global Admin account may be used to reset the password for another administrator, or to disable another admin account when a user changes roles, and you need to decide if this requires formal change control or not.

Other Administration Roles

There are now numerous other admin level roles and each user that fulfills an admin role should have the least permissions possible assigned in order for them to fulfill their responsibilities.  So, for a user that is acting in an admin level capacity, if they can fulfill their responsibilities with a less privileged account, then they should only have access to that less privileged account. 

For day to day administration of services like Exchange Online, SharePoint Online, OneDrive for Business, Skype for Business or Teams, it is recommended that a separate administration account be configured which has all of these administrative functions.  This account should be different and separate from a global administrator account and from the daily use account (used to check email).  For example, If an administrator’s only responsibility is to administer user accounts, performing tasks like adding users to groups, resetting passwords or assigning licenses, then the account should only have the User Administration role.  Once again, this account should be different and separate from a global administrator account and from the daily use account (used to check email). 

The full set of administrator roles, which is now numbers over 40, are listed here: https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide#roles-available-in-the-microsoft-365-admin-center.  Note: some of the administrative roles from the larger set are only available with Microsoft 365 (which is a different license from Office 365) and can only be configured within Azure AD.

Other Protections for Global Administrator Accounts

We often recommend that organizations enable automated procedures which query the Office 365 environment nightly for a list of all user account that contain an administrative role. This list should be automatically posted to a common location and reviewed regularly to ensure that users only have the administrative privileges they require.

We will also recommend that organizations institute an Access Review Process for Privileged Users as part of their governance procedures.  This means that on some regular cadence, like every 3 months or 6 months, and in a very official capacity, that the privileges, roles and permissions that are assigned to users with privileged access (ie. administrative access) are reviewed and certified to be correct.  If they are not correct, then changes are implemented at that time.

There are additional recommended Advanced Protections for administrative accounts like the Global Admin role, using the following features and recommendations:

Privileged/Secure Access Workstation

In high security scenarios, global administrators may be required to login to global Admin accounts only from Privileged Access Workstations (PAW).  These are sometimes called Secure Access Workstations (SAW). 

A PAW or SAW is a dedicated computer that is only used for administration tasks, such as Office 365 global admin capabilities. This computer is not used daily for Internet browsing or email, it is therefore better protected from attacks and threats.  There are typically very strict security configurations implemented on these computers, such as no mailbox access, to skype for business access, disabling certain protocols, etc.

Azure AD Privileged Identity Management (PIM)

A Microsoft 365 advanced security capability which provides on demand/just in time assignment of the global administration role, and facilitates automated regular reviews of privileged identity permissions. There are specific requirements for Microsoft 365 licenses in order to have access to this feature.

SIEM Integration

Integrate Office 365 audit logs with your corporate SIEM (Security Incident and Event Management) system for long term storage of audit logs and automated alerts. Azure Sentinel is a great example of a Cloud based SIEM that will subscribe to your O365 logs should you choose, and automatically aggregate those logs… and allow you to do a lot of interesting things with those logs like alerts and analytics.

Microsoft Cloud App Security

Configured automated policies which protect privileged identities from attack or misuse by evaluating fine-grained policies when users access specific apps, identities or data.

-Enjoy.

antoniomaio