Forum Discussion
Solved
Global administrator in Office 365, how to get real governance
I am trying to have 100% governance to avoid having the following situation: 1- Global admin make the decision to kick-out the others global admin and take control 2- Give the corporate management ...
Microsoft CAN help you in situations like this, but you will need to pass over multiple verifications and so on. So if you havent contacted support already, do it, and if the first line guys are giving you trouble ask to get the issue escalated.
As to what you can do to avoid future issues - dont grant access to people you dont trust and protect your sensitive accounts with MFA (it's free and very simple to setup/use).
The Global Admin account level is extremely important to protect. MFA is a must.
One related tip... If you're on E3, you can Activity log to query all changed admin settings or call the corresponding API.
For E5, Advanced Security Management would be able to set up rules in case too many settings are set by a rogue Global Admin, then you could suspend that rogue Global Admin account automatically if they exceed your threshold.
Either way, it is good from a checks and balances perspective to see what other admins are setting.
A good place to start is to ensure that every admin role has at least 2 people assigned.
Thanks for your reply! That is obviously minimal, but one global admin can take out the global admin. We implement 3 global admin from different dept. Also, we will implement in the AD Azure a corporate admin that can take out the rights of any global admin in Office 365. Using the Compliance center for audit and alerts, we should be fine. I think that I am heading to a good governance and information security.