Admin roles for user accounts vs. separate admin accounts

Iron Contributor

Hello,

I am looking for information about the benefits and drawbacks of having our O365 administrators use a separate admin account with roles like SharePoint, Exchange, Service, or Global administrator that is different than their normal user account.  This is how we do things in our on-premises environment, but I was hoping to hear from others if that works well in O365, or if it would be better to just grant admin roles to their user accounts.  

 

I read through this conversation: Microsoft Tech Community: Best Practices O365 Admin Roles, but the conversation was more focused on weighing out shared accounts vs. individual accounts.  We would not be using shared accounts for this purpose.  There were a few replies that mention separate user and admin accounts for the people doing the administration, but I was hoping to get a conversation more focused on that. 

 

A drawback that comes to mind immediately is the cost of extra licensing for the admin accounts.  Are there other drawbacks?  What benefits are you seeing with this structure?

 

Thank you!

Brian

3 Replies

You do not need a license to perform admin tasks. And you definitely dont need to use any kind of priviledged account to check your email or upload a file to ODFB - use those accounts only when needed. Azure AD PIM is a good way to combine both: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-managem...

If separating admin accounts from their normal user accounts have worked well in the past for you, then you could continue that into Office 365 and as Vasil said licencing doesn't come into it.

 

I just wonder how this works in practice and how this is more secure.  The idea being an admin account that's used for all activities like email, SharePoint & OneDrive etc, could be more easily compromised by phishing, drive-by downloads or a targetted attack.  If successful, the bad guys could come away with the admins credentials, have backdoor access or increased opportunities for data exfiltration.  

 

With a sperate admin account, will staff have a sperate web browser open all the time, just logged into the tenant for day to day administration while using a different browser for everything else for day to day stuff? The thing is if the endpoint is compromised or infected, they could probably get access to the dedicated admin account either way,  

 

Anyway, Azure Active Directory Privileged Identity Management would be a perfect for this as Vasil already said with the just in time administration, rights are elevated when needed and then taken away when not. This requires Azure Active Directory Premium P2 or Enterprise Mobility + Security E5 to get the most out of it.

 

Here are the Security best practices for Office 365, you may have seen already. Protecting your admin accounts with multi-factor authentication (here is a comparison of the different versions) would be one of the best things you could do if that's not in place already.  Some PowerShell modules don't work with modern authentication but I think this has improved.

 

The main drawbacks for me with your suggestion is the practicalities of adhering to it and having to juggle two accounts all the time, with the additional complexities it brings.  I'd prefer to minimise who has Global Admin access, make use of some of the other admin roles where practical, deploy MFA and check out other measures that are recommended in Office 365 Secure Score.

Hi, thanks for the responses!  I can give a little more detail on how this works for us in practice for our on premises environment.  The support team is logged into their regular machines with their user account, but uses a virtual machine logged in with an admin account that has admin tools such as sharegate, sharepoint designer, etc.  So any browser on the VM is using the admin credentials.  There are a couple benefits from this setup that we are seeing with this approach in our on prem environment:

  1. We can more easily replicate things that our users are experiencing with our user accounts that may not occur with our admin accounts that have site collection admin privledges, and we can put our user account into different permission groups during testing or troubleshooting. 
  2. Also, if any changes are made with an admin account, we (and the content owners) know that was done for troubleshooting purposes.

That said, I'm very open to considering other approaches for O365.  I was not aware of Azure Active Directory Privileged Identity Management, so I'll be digging into that a bit more.  I also need to consult with our IT Security team to see what their stance is on this.  That might actually force the decision one way or another, but I figured it was worth exploring what others are doing for support just to get some ideas.  

 

I appreciate the info sharing!  Anyone else who wants to weigh in, please feel free to do so.

 

Thanks again,

Brian