Mar 14 2018
10:55 AM
- last edited on
Feb 07 2023
08:00 PM
by
TechCommunityAP
Mar 14 2018
10:55 AM
- last edited on
Feb 07 2023
08:00 PM
by
TechCommunityAP
I'm sure mine is a common scenario: I created the Office 365 tenant and so I am a Global Admin. Over time, I've created multiple services, setup AAD Connect, and the list goes on.
I want to do a few things:
1. Determine all the places where my credentials are being used to authenticate services/apps
2. Create and use a dedicated Global Admin account
3. Take my account out of the Global Admin list
4. Enable MFA on my account
On second thought, if I enable MFA on my account can I continue to use it as the Global Admin or is that still a bad practice?
Mar 14 2018 12:51 PM
SolutionService side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.
In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.
The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.
Mar 14 2018 02:51 PM
Mar 14 2018 12:51 PM
SolutionService side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.
In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.
The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.