Forum Discussion

Jesper Stein's avatar
Jesper Stein
Brass Contributor
Jun 15, 2018

Shared Service Admin

We have a need for a shared global admin account. One of our demands is that all admin accounts in 365 has MFA enabled.

How can you share an Admin account with MFA enabled? Any idears or expirence?

admin
office 365
  • VasilMichev's avatar
    VasilMichev
    MVP
    Jun 15, 2018

    You can configure some desk phone (or even VOIP number) as the auth number, and handle the 2FA challenge. Alternatively, you can configure MFA bypass based on "trusted IPs". Using a GA without MFA is a bad practice, however secure you think the password is (even ignoring the fact you are sharing the password between several people).

  • Fromelard's avatar
    Fromelard
    Steel Contributor
    Jun 15, 2018

    In our corporate case, we have only dedicated admin accounts per "User Admin" similar to adm_userLogin created on the internal AD Domain and synched to AAD

    Each of those accounts are not associated with any Office 365 licenses and the Admin permission are given depending of the technology knowledge (Exchange, SP, …)

     

    Those account don't have the MFA enable anyway to not fight with the multiple authentification issues.

    Fab

    • Jesper Stein's avatar
      Jesper Stein
      Brass Contributor
      Jun 15, 2018

      Hi.

       

      E.g we have one "master account" to manage our Azure subscriptions. We are several people that need to login on this to manage the subscriptions.

       

      Also our Sharepoint guys need to share an account for working with Flow, where they need one account to create flows.

      • Fromelard's avatar
        Fromelard
        Steel Contributor
        Jun 15, 2018

        The case is the same here (more than 50'000 employees), so we are splitting the roles as following:

         

        • The Tenant full admin role: 2 persons to share the holidays time
        • The Exchange Admins role: 3 persons
        • The SharePoint Admin role: 4 persons
        • A dedicated support team who has also the tenant admin role and can execute the scripts or change depending of the request and with the Full admin validation

        The situation was quite acceptable in the past because the isolation was ok, but with the new Office Group positioning, that is less and less sustainable.

        From what I understood the dedicated admin will be removed and the admin permission will be transferred only to the support team.

         

        Some other aspect are pushing us in that directly with the GPDR regulations, the US and SG regulations, … 

        So we will continue with that separation of account for Admin and support as explained before but the associated role will probably change a little bit.

         

        About the developers case, we have that question for Flows & PowerApp but also for PowerBI dev and we defined to create shared service accounts (without MFA) delivered to the "Publisher", the developer will work into dedicated space (site collection or groups/teams)

         

        Hope that will help you.

         

        Fab

         

Resources