Best Practices O365 Admin Roles

escupham maybe this will help... 

https://www.quadrotech-it.com/blog/office-365-global-admin-best-practices-part-one/

Hi,

very intersting topic and replies.

WE are a tenant of 100 users and we have 3 global admins, with separate admin accounts.

Things work pretty much fine (including MFA), we have an issue though with 2 things:

1) Granularity of admin roles managed in Office 365 vs managed in Azure AD, there seem to be some little tiny differences that can prevent admin to their job.

2) Licenses: in principle an Admin needs no license, but ther are some actions that you can't perform with an adequate license (in Exchange Online or Intune).

We can sort point 1, but I am quite upset with point 2.

I recently attended an Ask The Expert session, during which the the MSFT guru suggested the elevation of "normal users" to "admin role" based on specifc time frame or on demand, but i could not find any hint in this sense.

If you have any, and want to share, feel free!

Nicola

So, there use to be this mentality, or framework, for Office services on-premises, of pursuing least-privileged access design in your administration and services. And, with the the changes in O365, and the symbiotic integration with Azure AD, there is some much lacking community content on that. So, I started writing about this, especially as all Office 365 services are essentially going to be controlled by Office 365 groups as the focal identity. That will change the stack of who needs what role and permission in Office 365 Administration. Anyways, I'll be adding content to it as I can, https://medium.com/@lousimonetti/office-365-lessons-in-least-privileged-security-d7830578c4c2

I would also recommend to keep use of Global Admin and other Admin roles at a minimum and always assign separate accounts for Admin rolls. I the admin panel under users it is also good to make a report that fast can give you an overview of who has the different rolls assigned.

If you not already have a good tool for reporting I could recommend https://www.cogmotive.com/ that have saved us both hours of work but also a lot of money. On a monthly basis I have sat up different reports that goes automatically both to us at IT but also to our different managers at our locations spread all around the country. They can then easely see who are assigned licenses and if they still have assigned users that should have been removed.

I don´t work for Cogmotive, just love their tools :-)

BR Marius

Here's a support.office.com article about the different roles and how to assign them that may be useful for reference:

https://support.office.com/en-us/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d?ui=en-US&rs=en-US&ad=US

You may also be interested in the Advanced Security Management features  https://support.office.com/en-us/article/Get-started-with-Advanced-Security-Management-d9ee4d67-f2b3-42b4-9c9e-c4529904990a?ui=en-US&rs=en-US&ad=US and

this poster does a very nice job of presenting the numerous information protection options https://docs.com/officeitpro/3899/information-protection-for-office-365

I have 5 clients that are Fortune 500 companies, all of them assign individual users names to the Admin roles. Only one of them had separate "admin" account for their staff to login with when the were performing Admin functions, While this is a pain in the neck, it a good idea that should be used more often.

Accounts should never be shared because this does not provide a good audit trail.

I have a tenancy where there are two domains. Is it possible to have a password administrator that is restricted to just one domain?