Forum Discussion

Jesper Stein's avatar
Jesper Stein
Brass Contributor
Jun 14, 2018

Shared Service Admin

We have a need for a shared global admin account. One of our demands is that all admin accounts in 365 has MFA enabled. How can you share an Admin account with MFA enabled? Any idears or expirence?
admin
office 365
Jesper Stein's avatar
Jesper Stein
Brass Contributor
Jun 15, 2018

Hi.

 

E.g we have one "master account" to manage our Azure subscriptions. We are several people that need to login on this to manage the subscriptions.

 

Also our Sharepoint guys need to share an account for working with Flow, where they need one account to create flows.

Fromelard's avatar
Fromelard
Iron Contributor
Jun 15, 2018

The case is the same here (more than 50'000 employees), so we are splitting the roles as following:

 

  • The Tenant full admin role: 2 persons to share the holidays time
  • The Exchange Admins role: 3 persons
  • The SharePoint Admin role: 4 persons
  • A dedicated support team who has also the tenant admin role and can execute the scripts or change depending of the request and with the Full admin validation

The situation was quite acceptable in the past because the isolation was ok, but with the new Office Group positioning, that is less and less sustainable.

From what I understood the dedicated admin will be removed and the admin permission will be transferred only to the support team.

 

Some other aspect are pushing us in that directly with the GPDR regulations, the US and SG regulations, … 

So we will continue with that separation of account for Admin and support as explained before but the associated role will probably change a little bit.

 

About the developers case, we have that question for Flows & PowerApp but also for PowerBI dev and we defined to create shared service accounts (without MFA) delivered to the "Publisher", the developer will work into dedicated space (site collection or groups/teams)

 

Hope that will help you.

 

Fab

 

Resources