SOLVED

Best practice for Global Admin account and how to transition my own account

%3CLINGO-SUB%20id%3D%22lingo-sub-171801%22%20slang%3D%22en-US%22%3EBest%20practice%20for%20Global%20Admin%20account%20and%20how%20to%20transition%20my%20own%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171801%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20sure%20mine%20is%20a%20common%20scenario%3A%20I%20created%20the%20Office%20365%20tenant%20and%20so%20I%20am%20a%20Global%20Admin.%20Over%20time%2C%20I've%20created%20multiple%20services%2C%20setup%20AAD%20Connect%2C%20and%20the%20list%20goes%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20want%20to%20do%20a%20few%20things%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Determine%20all%20the%20places%20where%20my%20credentials%20are%20being%20used%20to%20authenticate%20services%2Fapps%3C%2FP%3E%0A%3CP%3E2.%20Create%20and%20use%20a%20dedicated%20Global%20Admin%20account%3C%2FP%3E%0A%3CP%3E3.%20Take%20my%20account%20out%20of%20the%20Global%20Admin%20list%3C%2FP%3E%0A%3CP%3E4.%20Enable%20MFA%20on%20my%20account%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20second%20thought%2C%20if%20I%20enable%20MFA%20on%20my%20account%20can%20I%20continue%20to%20use%20it%20as%20the%20Global%20Admin%20or%20is%20that%20still%20a%20bad%20practice%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-171801%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171905%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20Global%20Admin%20account%20and%20how%20to%20transition%20my%20own%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171905%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20response.%20This%20should%20be%20just%20what%20I%20needed.%20I%20haven't%20done%20much%20work%20with%20the%20audit%20log%20yet%20so%20this%20will%20be%20a%20good%20chance.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-171852%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20Global%20Admin%20account%20and%20how%20to%20transition%20my%20own%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-171852%22%20slang%3D%22en-US%22%3E%3CP%3EService%20side%2C%20no%20credentials%20are%20stored.%20AAD%20Connect%20also%20doesn't%20store%20the%20GA%20credentials%2C%20it%20uses%20its%20own%20account.%20The%20common%20scenarios%20are%20storing%20credentials%20in%20PowerShell%20scripts%2Fscheduled%20tasks%20and%20similar.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20general%2C%20once%20you%20create%20the%20new%20account%2C%20you%20can%20query%20the%20Azure%20AD%20audit%20logs%20for%20any%20logon%20activity%20from%20the%20old%20one%2C%20which%20should%20give%20you%20an%20idea%20if%2Fwhere%20it's%20still%20used.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20best%20practice%20is%20using%20separate%20accounts%2C%20as%20it%20minimizes%20the%20chances%20you%20will%20expose%20the%20credentials%20for%20the%20privileged%20account%20(un)intentially.%20But%20protecting%20it%20with%20MFA%20is%20a%20good%20middle%20ground.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I'm sure mine is a common scenario: I created the Office 365 tenant and so I am a Global Admin. Over time, I've created multiple services, setup AAD Connect, and the list goes on.

 

I want to do a few things:

 

1. Determine all the places where my credentials are being used to authenticate services/apps

2. Create and use a dedicated Global Admin account

3. Take my account out of the Global Admin list

4. Enable MFA on my account

 

On second thought, if I enable MFA on my account can I continue to use it as the Global Admin or is that still a bad practice?

2 Replies
Highlighted
Best Response confirmed by Chris Parker (Contributor)
Solution

Service side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.

 

In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.

 

The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.

Highlighted
Thanks for the response. This should be just what I needed. I haven't done much work with the audit log yet so this will be a good chance.