For large Enterprises, what's the recommendation for assigning Admin Roles within O365 (Global Admin, Billing Administrator, SharePoint Administrator, etc) -- do you assign individual names as Administrators or use more of a RBAC and assign say the SharePoint Admin role to a shared AppID instead of individuals?

Principle of least privileges always applies. You probably wont be able to get away with just 2 or 3 global admins, but you should keep the number at minimum. Give individual roles, use scoped RBAC roles where needed, etc. Dont forget to also enable MFA for each admin account. I would avoid using shared accounts where possible, auditing their usage quickly becomes a nightmare (and you dont want to be investigating which of the 10 users behind adminXXX@domain.com removed that license from the C*O :)). They're best used for automating scripts, so you dont end up with dozen different admins each used to run a single script. Oh, and please dont hardcode passwords into script files, every time I see something like this I switch to uncensored mode :)

Re. PowerShell.. Remember that MFA doesn't work for some modules (like Exchange Online) so you'll need an account that is not MFA-enabled for that work. And follow Vasil's advice and avoid passwords in scripts. That's more than the mind can cope with...

I respectfully disagree with Steven's tip. I belive O365 Admin accounts should use MFA. For interactive admin scripting I created a separate admin account that has a strong password, and I disable it when not in use. If you need a service account that runs PowerShell scripts, that's a different need for which I would agree that you don't want MFA. However, when feasible, change the password periodically and if you can audit the use of the account, all the better.

I have 5 clients that are Fortune 500 companies, all of them assign individual users names to the Admin roles. Only one of them had separate "admin" account for their staff to login with when the were performing Admin functions, While this is a pain in the neck, it a good idea that should be used more often. Accounts should never be shared because this does not provide a good audit trail.

We are a tenant of around 100 users. Three of us are Global Admins and we each use separate admin accounts from our normal user accounts. We also do this for on-prem.

Best Practices O365 Admin Roles | Microsoft Community Hub

Guarino Nicola
Copper Contributor
Aug 10, 2017
Hi,
very intersting topic and replies.
WE are a tenant of 100 users and we have 3 global admins, with separate admin accounts.

Things work pretty much fine (including MFA), we have an issue though with 2 things:

1) Granularity of admin roles managed in Office 365 vs managed in Azure AD, there seem to be some little tiny differences that can prevent admin to their job.
2) Licenses: in principle an Admin needs no license, but ther are some actions that you can't perform with an adequate license (in Exchange Online or Intune).

We can sort point 1, but I am quite upset with point 2.

I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.

If you have any, and want to share, feel free!

Nicola
- TonyRedmond
  MVP
  Aug 10, 2017
  
  I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.
  
  This means that you assign administrative permission to users for the duration of time needed for them to perform administrative work and remove the permission once the time elapses. It is the way that many large enterprises operate. However, given your size, I think it would probably generate too much overhead to do this. Instead, good auditing practice to make sure that any inappropriate actions by administrators are detected and questioned is probably a better path for you to take. A tool like Cogmotive's DIscover and Audit https://www.cogmotive.com/discoverandaudit/ would help (it's cheaper than paying for Microsoft's Advanced Security Management).
- Paul Cunningham
  Steel Contributor
  Aug 24, 2017
  Guarino Nicola wrote:
  
  I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.
  
  Sounds like they were referring to the feature called Privileged Identity Management, which can temporarily elevant permissions based on specific conditions and approvals.
  - Deleted
    Oct 25, 2017
    Is this what you are referring to?
    What is Azure AD Privileged Identity Management?

Forum Discussion

Best Practices O365 Admin Roles

Share

Resources