I need to deploy codetwo office365 signature in our company.
The signature management role will be assigned to a marketing office employer.
Codetwo signature software need a Global admin account to create or edit signature.
This is very dangerous point ( Codetwo support told me that in the future they will change this limitation )
What can I do to limit the marketing user ? I thought to create another global admin account for codetwo and enable on it the MFA ( I need a license ) and after that I create an app password for that account ( I know that Microsoft doen't raccomand it on admin account ) and give that password to the marketing operator.
I want to know if with app password the employer can connect also to the admin center console or if any web access is avoid for the app password.
App passwords only work for legacy auth, so he will not be able to use it to login to the portal. PowerShell and other admin endpoints should also not accept login via the app password, so this might just work. Question is will he be able to actually perform the signature-related tasks?
No idea why the need a global admin though, at most they should be asking for Exchange Admin, Impersonation or some specific Exchange Role. Or perhaps it's a one-time requirement just when you setup the tool?