Forum Discussion
Best Practices O365 Admin Roles
Hi,
very intersting topic and replies.
WE are a tenant of 100 users and we have 3 global admins, with separate admin accounts.
Things work pretty much fine (including MFA), we have an issue though with 2 things:
1) Granularity of admin roles managed in Office 365 vs managed in Azure AD, there seem to be some little tiny differences that can prevent admin to their job.
2) Licenses: in principle an Admin needs no license, but ther are some actions that you can't perform with an adequate license (in Exchange Online or Intune).
We can sort point 1, but I am quite upset with point 2.
I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.
If you have any, and want to share, feel free!
Nicola
I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.
This means that you assign administrative permission to users for the duration of time needed for them to perform administrative work and remove the permission once the time elapses. It is the way that many large enterprises operate. However, given your size, I think it would probably generate too much overhead to do this. Instead, good auditing practice to make sure that any inappropriate actions by administrators are detected and questioned is probably a better path for you to take. A tool like Cogmotive's DIscover and Audit https://www.cogmotive.com/discoverandaudit/ would help (it's cheaper than paying for Microsoft's Advanced Security Management).