Forum Discussion
Global administrator in Office 365, how to get real governance
- Jul 15, 2016
Microsoft CAN help you in situations like this, but you will need to pass over multiple verifications and so on. So if you havent contacted support already, do it, and if the first line guys are giving you trouble ask to get the issue escalated.
As to what you can do to avoid future issues - dont grant access to people you dont trust and protect your sensitive accounts with MFA (it's free and very simple to setup/use).
- Jul 15, 2016
The Global Admin account level is extremely important to protect. MFA is a must.
One related tip... If you're on E3, you can Activity log to query all changed admin settings or call the corresponding API.
For E5, Advanced Security Management would be able to set up rules in case too many settings are set by a rogue Global Admin, then you could suspend that rogue Global Admin account automatically if they exceed your threshold.
Either way, it is good from a checks and balances perspective to see what other admins are setting.
Danny - I'm just getting around to reading this post. If you're looking for a way to control admin rights on a per tenant basis and only allow certain admins to perform certain functions, wiht the ability to track all admin activity, reach out and we'll demo our multitenat O365 management platform to you. We have a number of features that go well beyond the O365 admin portal including advanced RBAC.
Rgds,
Brian
To stop a rogue global admin from deleting other admins, is it possible to limit logins from global admins to specific physically secure local locations? That way, when it's time to say goodbye to a global admin, you can change the physical access controls to the secure local locations and he/she would no longer have access and could do no harm.