O365 / Azure AD - two accounts for admins v. PIM

%3CLINGO-SUB%20id%3D%22lingo-sub-1317857%22%20slang%3D%22en-US%22%3EO365%20%2F%20Azure%20AD%20-%20two%20accounts%20for%20admins%20v.%20PIM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1317857%22%20slang%3D%22en-US%22%3E%3CP%3EI%20refer%20to%20this%20existing%20post%20which%20neatly%20sums%20up%20my%20query%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fadmin-center%2Fadmin-roles-for-user-accounts-vs-separate-admin-accounts%2Fm-p%2F88333%2Fthread-id%2F674%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fadmin-center%2Fadmin-roles-for-user-accounts-vs-separate-admin-accounts%2Fm-p%2F88333%2Fthread-id%2F674%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasically%20is%20it%20a%20good%20idea%20with%20O365%20admins%20to%20have%20a%20regular%20daily%20use%20account%20separate%20from%20the%20admin%20account%20and%20then%20only%20use%20the%20admin%20account%20as%20required%20in%20an%20incognito%20browser%20window%20and%20sign%20out%20when%20finished%20(MFA%20on%20all%20accounts%20regardless%20a%20given)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBenefits%20I%20see%3A%3C%2FP%3E%3CUL%3E%3CLI%3Eminimises%20risk%20of%20being%20struck%20by%20virus%20or%20malware%20while%20logged%20into%20admin%20account%3C%2FLI%3E%3CLI%3Emitigates%20risk%20of%20admin%20user%20accidentally%20changing%20tenant%20config%3C%2FLI%3E%3CLI%3Eensure%20any%20content%20created%20by%20admin%20user%20is%20owned%20by%20their%20regular%20user%20account%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20didn't%20think%20the%20admin%20account%20would%20need%20to%20be%20assigned%20an%20O365%20licence%20but%20then%20I%20realised%20it%20would%20have%20no%20mailbox%20associated%20with%20it%20so%20how%20would%20it%20get%20admin%20alerts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bsuggests%20PIM%20is%20a%20better%20solution%20to%20this%20in%20the%20original%20post%20but%20that%20would%20more%20than%20double%20our%20monthly%20user%20cost%20as%20it%20requires%20Azure%20AD%20P2%20and%20we%20are%20just%20using%20O365%20Essentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20assuming%20PIM%20is%20not%20in%20our%20budget%20right%20now%20is%20having%20two%20account%20a%20good%20idea%20and%20if%20so%20does%20the%20admin%20account%20actually%20need%20an%20O365%20licence%20to%20be%20able%20to%20receive%20email%20alerts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1317857%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1318170%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20%2F%20Azure%20AD%20-%20two%20accounts%20for%20admins%20v.%20PIM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1318170%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20only%20need%20the%20Azure%20AD%20license%20for%20your%20admin(s)%2C%20plus%20it%20adds%20some%20other%20goodness%20such%20as%20Conditional%20access%20policies%2C%20Azure%20AD%20identity%20protection%20and%20so%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20your%20question%2C%20no%2C%20generally%20you%20don't%20need%20to%20have%20a%20license%20or%20a%20mailbox%20for%20the%20admin%2C%20there%20are%20very%20few%20functionalities%20that%20will%20not%20work%20without%20one.%20Alerts%20will%20be%20sent%20to%20the%20%22alternative%20address%22%20you%20specify%20when%20assigning%20an%20admin%20role.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1319978%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20%2F%20Azure%20AD%20-%20two%20accounts%20for%20admins%20v.%20PIM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1319978%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BAhh%20wait%20I%20first%20read%20this%20message%20at%20about%203%3A30am%20Sunday%20morning%20-%20are%20you%20saying%20only%20the%20admin%20needs%20an%20AD%20Premium%20subscription%20to%20unlock%20all%20that%20stuff%20-%20not%20every%20user%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1321937%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20%2F%20Azure%20AD%20-%20two%20accounts%20for%20admins%20v.%20PIM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1321937%22%20slang%3D%22en-US%22%3E%3CP%3EDefine%20%22all%20that%20stuff%22%3F%20What%20I'm%20saying%20it%20that%20for%20PIM%2C%20you%20need%20only%20licenses%20for%20the%20admins.%20The%20other%20features%20will%20have%20varied%20license%20requirements%2C%20check%20the%20documentation.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I refer to this existing post which neatly sums up my query: https://techcommunity.microsoft.com/t5/admin-center/admin-roles-for-user-accounts-vs-separate-admin-...

 

Basically is it a good idea with O365 admins to have a regular daily use account separate from the admin account and then only use the admin account as required in an incognito browser window and sign out when finished (MFA on all accounts regardless a given)?

 

Benefits I see:

  • minimises risk of being struck by virus or malware while logged into admin account
  • mitigates risk of admin user accidentally changing office 365 admin settings / azure ad tenant config
  • ensure any content created by admin user is owned by their regular user account

I didn't think the admin account would need to be assigned an O365 licence but then I realised it would have no mailbox associated with it so how would it get admin alerts?

 

@Vasil Michev suggests Privileged Identity Management (PIM) is a better solution to this in the original post but that would more than double our monthly user cost as it requires Azure AD P2 and we are just using O365 Essentials with Azure AD basic right now.

 

So assuming PIM is not in our is having two accounts a good idea and if so does the admin account actually need an O365 licence to be able to receive email alerts?

3 Replies
Highlighted

You only need the Azure AD license for your admin(s), plus it adds some other goodness such as Conditional access policies, Azure AD identity protection and so on.

 

To your question, no, generally you don't need to have a license or a mailbox for the admin, there are very few functionalities that will not work without one. Alerts will be sent to the "alternative address" you specify when assigning an admin role.

Highlighted

@Vasil Michev Ahh wait I first read this message at about 3:30am Sunday morning - are you saying only the admin needs an AD Premium subscription to unlock all that stuff - not every user?

Highlighted

Define "all that stuff"? What I'm saying it that for PIM, you need only licenses for the admins. The other features will have varied license requirements, check the documentation.