Forum Discussion
Best Practices O365 Admin Roles
For large Enterprises, what's the recommendation for assigning Admin Roles within O365 (Global Admin, Billing Administrator, SharePoint Administrator, etc) -- do you assign individual names as Admini...
For large enterprises you should use personalized accounts instead of serviceaccount names too. If you want to differ admin permissions in services like SharePoint online you can create Groups or use Office Groups in the future. And please avoid Passwords in PS Scripts.
Quick tip: Dont use MFA for Office 365 Admins because you have a lot of trouble with it in PowerShell. Use strong and generated passwords!!!
Quick tip: Dont use MFA for Office 365 Admins because you have a lot of trouble with it in PowerShell. Use strong and generated passwords!!!
I respectfully disagree with Steven's tip. I belive O365 Admin accounts should use MFA. For interactive admin scripting I created a separate admin account that has a strong password, and I disable it when not in use. If you need a service account that runs PowerShell scripts, that's a different need for which I would agree that you don't want MFA. However, when feasible, change the password periodically and if you can audit the use of the account, all the better.
- Utilize a two-factor password vault on their primary account to access the administrative account for elevated access, and be sure the administrative account has a 24 hour reset. This ensures that when the primary account is disabled, they no longer have access to the administrative account and it's password has been automatically changed. It's additional overhead but highly secure.
