Forum Discussion
Global administrator in Office 365, how to get real governance
- Jul 15, 2016
Microsoft CAN help you in situations like this, but you will need to pass over multiple verifications and so on. So if you havent contacted support already, do it, and if the first line guys are giving you trouble ask to get the issue escalated.
As to what you can do to avoid future issues - dont grant access to people you dont trust and protect your sensitive accounts with MFA (it's free and very simple to setup/use).
- Jul 15, 2016
The Global Admin account level is extremely important to protect. MFA is a must.
One related tip... If you're on E3, you can Activity log to query all changed admin settings or call the corresponding API.
For E5, Advanced Security Management would be able to set up rules in case too many settings are set by a rogue Global Admin, then you could suspend that rogue Global Admin account automatically if they exceed your threshold.
Either way, it is good from a checks and balances perspective to see what other admins are setting.
All Global admins have equal rights, if that's what you mean. Protecting an account with MFA will not prevent any malicious activities from rogue operative, but it will put another layer of security on top of the password.
There are seldom good technical answers to the activities of flawed human beings who have some level of authority. In this instance, if administrator access is assigned to people who end up doing stupid things like hack into managers' mailboxes, your hiring policies, controls, or methods for appointing people into positions of authority need to be looked at to ensure that it doesn't happen again. Controls include audits of administrative activities and access to user data that are performed by someone other than the administrators. All of the capabilities are there to perform the audits; they just have to become part of normal operating procedure and carry suitable consequences if malicious activities are detected. Those consequences have to be communicated clearly and unambigiously to the administrators so that no one is in any doubt as to what will happen if they misuse the authority over the tenant that they have been granted. And you should always have at least two administrators who can validate the actions of each other.
All of this can be summarized in a single sentence: Management need to manage IT and the people who administer those systems.