Forum Discussion
Best practice for Global Admin account and how to transition my own account
I'm sure mine is a common scenario: I created the Office 365 tenant and so I am a Global Admin. Over time, I've created multiple services, setup AAD Connect, and the list goes on.
I want to do a few things:
1. Determine all the places where my credentials are being used to authenticate services/apps
2. Create and use a dedicated Global Admin account
3. Take my account out of the Global Admin list
4. Enable MFA on my account
On second thought, if I enable MFA on my account can I continue to use it as the Global Admin or is that still a bad practice?
Service side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.
In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.
The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.
2 Replies
Service side, no credentials are stored. AAD Connect also doesn't store the GA credentials, it uses its own account. The common scenarios are storing credentials in PowerShell scripts/scheduled tasks and similar.
In general, once you create the new account, you can query the Azure AD audit logs for any logon activity from the old one, which should give you an idea if/where it's still used.
The best practice is using separate accounts, as it minimizes the chances you will expose the credentials for the privileged account (un)intentially. But protecting it with MFA is a good middle ground.
- Thanks for the response. This should be just what I needed. I haven't done much work with the audit log yet so this will be a good chance.
