cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Best practice for Global Admin account and how to transition my own account

Chris Parker
Iron Contributor

‎Mar 14 2018 10:55 AM - last edited on ‎Feb 07 2023 08:00 PM by

‎Mar 14 2018 10:55 AM - last edited on ‎Feb 07 2023 08:00 PM by

Best practice for Global Admin account and how to transition my own account

I'm sure mine is a common scenario: I created the Office 365 tenant and so I am a Global Admin. Over time, I've created multiple services, setup AAD Connect, and the list goes on.

 

I want to do a few things:

 

1. Determine all the places where my credentials are being used to authenticate services/apps

2. Create and use a dedicated Global Admin account

3. Take my account out of the Global Admin list

4. Enable MFA on my account

 

On second thought, if I enable MFA on my account can I continue to use it as the Global Admin or is that still a bad practice?

Labels:
2,262 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by VI_Migration (Silver Contributor)
Vasil Michev

‎Mar 14 2018 12:51 PM

‎Mar 14 2018 12:51 PM

Solution

Re: Best practice for Global Admin account and how to transition my own account

Service side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.

 

In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.

 

The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.

0 Likes
Reply
Chris Parker

‎Mar 14 2018 02:51 PM

‎Mar 14 2018 02:51 PM

Re: Best practice for Global Admin account and how to transition my own account

Thanks for the response. This should be just what I needed. I haven't done much work with the audit log yet so this will be a good chance.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Vasil Michev

‎Mar 14 2018 12:51 PM

‎Mar 14 2018 12:51 PM

Solution

Re: Best practice for Global Admin account and how to transition my own account

Service side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.

 

In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.

 

The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.

View solution in original post

0 Likes
Reply