For large Enterprises, what's the recommendation for assigning Admin Roles within O365 (Global Admin, Billing Administrator, SharePoint Administrator, etc) -- do you assign individual names as Administrators or use more of a RBAC and assign say the SharePoint Admin role to a shared AppID instead of individuals?

Principle of least privileges always applies. You probably wont be able to get away with just 2 or 3 global admins, but you should keep the number at minimum. Give individual roles, use scoped RBAC roles where needed, etc. Dont forget to also enable MFA for each admin account. I would avoid using shared accounts where possible, auditing their usage quickly becomes a nightmare (and you dont want to be investigating which of the 10 users behind adminXXX@domain.com removed that license from the C*O :)). They're best used for automating scripts, so you dont end up with dozen different admins each used to run a single script. Oh, and please dont hardcode passwords into script files, every time I see something like this I switch to uncensored mode :)

Re. PowerShell.. Remember that MFA doesn't work for some modules (like Exchange Online) so you'll need an account that is not MFA-enabled for that work. And follow Vasil's advice and avoid passwords in scripts. That's more than the mind can cope with...

I respectfully disagree with Steven's tip. I belive O365 Admin accounts should use MFA. For interactive admin scripting I created a separate admin account that has a strong password, and I disable it when not in use. If you need a service account that runs PowerShell scripts, that's a different need for which I would agree that you don't want MFA. However, when feasible, change the password periodically and if you can audit the use of the account, all the better.

I have 5 clients that are Fortune 500 companies, all of them assign individual users names to the Admin roles. Only one of them had separate "admin" account for their staff to login with when the were performing Admin functions, While this is a pain in the neck, it a good idea that should be used more often. Accounts should never be shared because this does not provide a good audit trail.

We are a tenant of around 100 users. Three of us are Global Admins and we each use separate admin accounts from our normal user accounts. We also do this for on-prem.

Best Practices O365 Admin Roles | Microsoft Community Hub

19 Replies

VasilMichev
MVP
Aug 15, 2016
Principle of least privileges always applies. You probably wont be able to get away with just 2 or 3 global admins, but you should keep the number at minimum. Give individual roles, use scoped RBAC roles where needed, etc. Dont forget to also enable MFA for each admin account.

I would avoid using shared accounts where possible, auditing their usage quickly becomes a nightmare (and you dont want to be investigating which of the 10 users behind adminXXX@domain.com removed that license from the C*O :)). They're best used for automating scripts, so you dont end up with dozen different admins each used to run a single script. Oh, and please dont hardcode passwords into script files, every time I see something like this I switch to uncensored mode :)
- TonyRedmond
  MVP
  Aug 16, 2016
  Re. PowerShell.. Remember that MFA doesn't work for some modules (like Exchange Online) so you'll need an account that is not MFA-enabled for that work. And follow Vasil's advice and avoid passwords in scripts. That's more than the mind can cope with...

Forum Discussion

Best Practices O365 Admin Roles

19 Replies

Resources