SOLVED

Global administrator in Office 365, how to get real governance

Copper Contributor

I am trying to have 100% governance to avoid having the following situation:

1- Global admin make the decision to kick-out the others global admin and take control

2- Give the corporate management people the ability to freeze Office 365, kick out the Global admin and replace the credential in case of fraud or miss-used information

 

I had one Global Admin, and having discover that he hacked my eMail on April 18th, we needed to replace him as a Global Admin.  Microsoft can not do anything on that.  Global Admin is like God.  Even if you add more global admin, the malicious global admin can remove the other one.

 

Being 100% the share older, how to I get full governance and avoid future issues?  Thanks  

18 Replies
best response confirmed by jeffmedford (Microsoft)
Solution

Microsoft CAN help you in situations like this, but you will need to pass over multiple verifications and so on. So if you havent contacted support already, do it, and if the first line guys are giving you trouble ask to get the issue escalated.

 

As to what you can do to avoid future issues - dont grant access to people you dont trust and protect your sensitive accounts with MFA (it's free and very simple to setup/use).

Nice work @VasilMichev! 'Best Answer' FTW!


@VasilMichev wrote:

Microsoft CAN help you in situations like this, but you will need to pass over multiple verifications and so on. So if you havent contacted support already, do it, and if the first line guys are giving you trouble ask to get the issue escalated.

 

As to what you can do to avoid future issues - dont grant access to people you dont trust and protect your sensitive accounts with MFA (it's free and very simple to setup/use).


Just wanted to +1 on the Multi-Factor Auth protection statement above.

 

For more information on MFA, you can see below:

https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0...

 

best response confirmed by Rudolph_Greg_Surovcik (Copper Contributor)
Solution

The Global Admin account level is extremely important to protect. MFA is a must.

 

One related tip... If you're on E3, you can Activity log to query all changed admin settings or call the corresponding API.

 

For E5, Advanced Security Management would be able to set up rules in case too many settings are set by a rogue Global Admin, then you could suspend that rogue Global Admin account automatically if they exceed your threshold.

 

Either way, it is good from a checks and balances perspective to see what other admins are setting.

On a somewhat related topic, are there any plans to implement Just In Time admin roles in which admins have to request an increase in permissions to perform specific tasks during a dedicated period of time?

you have this today thru azure privlaged identity management.  from the azure portal add it as a new service and walk thru the wizard.

Thanks Jeremy,

Looks like that the real solution for me is to be E5 level to ensure a full corporate control in case of bad intention or behavior from a Global Admin


@JeremyChapmanMSFT wrote:

The Global Admin account level is extremely important to protect. MFA is a must.

 

One related tip... If you're on E3, you can Activity log to query all changed admin settings or call the corresponding API.

 

For E5, Advanced Security Management would be able to set up rules in case too many settings are set by a rogue Global Admin, then you could suspend that rogue Global Admin account automatically if they exceed your threshold.

 

Either way, it is good from a checks and balances perspective to see what other admins are setting.


Thanks,

Sorry Vasil, but Microsoft can not do anything if the Global Admin does not give is OK.  So if you deal with a bad boy, you are stock in the coner.  I have try if to 3 days, and Microsoft can not do anything.

Being more a busness manager I did not know MFA, but I quikly surf it, and it seem to be in the right direction.  So, If one department is taking care of managing MFA, and another one is doing Office 365, I understand that the MFA person could remove the Global Administor rights to login and take over.  I hope I have properly understood.  Thanks for the community, it is very helpfull.

All Global admins have equal rights, if that's what you mean. Protecting an account with MFA will not prevent any malicious activities from rogue operative, but it will put another layer of security on top of the password.

There are seldom good technical answers to the activities of flawed human beings who have some level of authority. In this instance, if administrator access is assigned to people who end up doing stupid things like hack into managers' mailboxes, your hiring policies, controls, or methods for appointing people into positions of authority need to be looked at to ensure that it doesn't happen again. Controls include audits of administrative activities and access to user data that are performed by someone other than the administrators. All of the capabilities are there to perform the audits; they just have to become part of normal operating procedure and carry suitable consequences if malicious activities are detected. Those consequences have to be communicated clearly and unambigiously to the administrators so that no one is in any doubt as to what will happen if they misuse the authority over the tenant that they have been granted. And you should always have at least two administrators who can validate the actions of each other.

 

All of this can be summarized in a single sentence: Management need to manage IT and the people who administer those systems.

Is it recommended that the Global Administrator of an organization be enabled for MFA, using the built in MFA that comes with the Office 365 E1 subscription? What happens if the Global Administrator loses access to his or her smart phone, and can't authenticate? What is the best practice recommendation for securing the Global Administrator's login credentials?

A good place to start is to ensure that every admin role has at least 2 people assigned.

Thanks for your reply! That is obviously minimal, but one global admin can take out the global admin.  We implement 3 global admin from different dept.  Also, we will implement in the AD Azure a corporate admin that can take out the rights of any global admin in Office 365.  Using the Compliance center for audit and alerts, we should be fine.  I think that I am heading to a good governance and information security.

We recently published a show on Microsoft Mechanics about the updates to AZure AD for Identity Protection and Privileged Identity Management - these are tools designed for admin governance.

 

Danny - I'm just getting around to reading this post.  If you're looking for a way to control admin rights on a per tenant basis and only allow certain admins to perform certain functions, wiht the ability to track all admin activity, reach out and we'll demo our multitenat O365 management platform to you. We have a number of features that go well beyond the O365 admin portal including advanced RBAC.

 

Rgds,
Brian

To stop a rogue global admin from deleting other admins, is it possible to limit logins from global admins to specific physically secure local locations?  That way, when it's time to say goodbye to a global admin, you can change the physical access controls to the secure local locations and he/she would no longer have access and could do no harm.

2 best responses

Accepted Solutions
best response confirmed by jeffmedford (Microsoft)
Solution

Microsoft CAN help you in situations like this, but you will need to pass over multiple verifications and so on. So if you havent contacted support already, do it, and if the first line guys are giving you trouble ask to get the issue escalated.

 

As to what you can do to avoid future issues - dont grant access to people you dont trust and protect your sensitive accounts with MFA (it's free and very simple to setup/use).

View solution in original post

best response confirmed by Rudolph_Greg_Surovcik (Copper Contributor)
Solution

The Global Admin account level is extremely important to protect. MFA is a must.

 

One related tip... If you're on E3, you can Activity log to query all changed admin settings or call the corresponding API.

 

For E5, Advanced Security Management would be able to set up rules in case too many settings are set by a rogue Global Admin, then you could suspend that rogue Global Admin account automatically if they exceed your threshold.

 

Either way, it is good from a checks and balances perspective to see what other admins are setting.

View solution in original post