Using Priority Accounts in Microsoft 365
Published Nov 18 2020 01:18 PM 40.6K Views
Microsoft

Many organizations have people that are considered priority accounts for IT, such as executives, leaders, managers, and others. To help IT ensure a high quality of service and protection for these people, we have introduced capabilities in Microsoft 365 that enable an admin to tag specific users as priority accounts and then leverage app-specific features designed for them. To start with, we’ve announced two capabilities: priority account protection and premium mail flow monitoring.

 

  • Priority account protection                 These users are common targets of phishing campaigns and other cyber-attacks because they often deal with sensitive or secret information and have the added advantage (from an attacker’s point of view) of being extremely visible and researchable. Some users can also have access to critical tools and information, making them targets, as well. Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection) supports priority accounts as system tags that can be used in filters in alerts, reports, and investigations. Priority account protection can be configured using the Security & Compliance Center.
  • Premium mail flow monitoring         Healthy mail flow can be critical to business success, and delivery delays or failures can have a negative impact on the business. You can monitor mail flow for priority accounts and choose a threshold for failed or delayed emails, receive alerts when that threshold is exceeded, and view a report of email issues for priority accounts. Premium mail flow monitoring can be configured using the modern Exchange admin center.

 

Let’s have a closer look at the app-specific features for priority accounts.

 

Priority account protection

In response to the reality of an increasingly sophisticated and targeted threat landscape, organizations need differentiated protection for their most visible and targeted employees. These accounts require more protection and attention from security teams. Monitoring these priority accounts closely can yield early warning and important threat intelligence signals that help protect the organization. With the public preview of priority account protection in Defender for Office 365, security teams can now provide extra protection for these accounts, as described here.

 

PA2.png

 

Priority accounts are treated as a tag that can be used in filters in alerts, reports, and investigations in Defender for Office 365, as shown below.

 

PA3.png

Over the next few months, priority account protection in Defender for Office 365 will be expanded. It will be integrated with the quarantine experience, and any email targeted at a priority account will be tagged as such. It will also be easy to filter the view to see only malicious emails targeted at priority accounts. Priority accounts will also be integrated with Submission explorer; submissions from any priority account will be tagged and filterable, allowing security teams to focus first on these submissions over others.

 

You can learn more about priority account protection in Defender for Office 365 in this Ignite on-demand session.

 

Requirements for priority account protection in Defender for Office 365

Priority account protection is available in Defender for Office 365 Plan 2, including those with Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security.

 

Premium mail flow monitoring

Exchange Online provides premium mail flow monitoring for priority accounts. For this scenario, you can use the Microsoft 365 admin center or the modern Exchange admin center to tag a user as a priority accounts.

 

PA1.png

After adding users to the priority accounts list, you can use the Exchange admin center to monitor mail flow for them You can choose a threshold for failed or delayed emails, receive alerts when that threshold is exceeded, and view a report of email issues for priority accounts. The report allows admins to view failed events from the last 15 minutes and delayed email messages from last 6 hours that were sent to or from priority accounts (note, if no issues are found, the report will be empty).

 

Requirements for premium mail flow monitoring

Premium mail flow monitoring requires Office 365 E3, Microsoft 365 E3, Office 365 E5, or Microsoft 365 E5, along with at least 10,000 licenses and at least 50 monthly active Exchange Online users.

 

Availability of priority accounts

Priority accounts are available to all Microsoft 365 customers. A priority account is a property setting on a user account, and you can see and modify the priority accounts list using PowerShell.

 

Scenario

PowerShell command

View list of priority accounts

get-user -IsVIP | select Identity

Add user to list of priority accounts

set-user -VIP:$true -Identity <Identity>

Remove user from list of priority accounts

set-user -VIP:$false -Identity <Identity>

 

You can use priority accounts only if your organization meets the app-specific requirements. If your organization meets the requirements for using priority account protection or premium mail flow monitoring, then you will see the above experiences in the admin centers. If your organization does not meet either of these requirements, you won’t see these experiences in the admin centers. In the future, more apps and services will support priority accounts, and new experiences and requirements will emerge.

 

As always, we welcome your feedback. Let us know if you have any scenarios you’d like to see us support for priority accounts.

10 Comments

how many accounts can be setup as priority account. if there is any limit

Microsoft

Hi @Sankarasubramanian Parameswaran, the limit is 250 priority accounts.

Copper Contributor

We do have 250 users can we utilize this feature ?

Copper Contributor

@shazeab  you can utilize the priority account feature as long as you have the licensing listed in the blog post. If you want to use the premium mail flow monitoring feature, you need to have the proper licensing PLUS 10,000 licenses PLUS 50 monthly active exchange online users.  

 

Not sure why the 10,000 license requirement is there for the premium mail flow monitoring. I haven't read any official responses to why that is a requirement to be able to use the feature.

Copper Contributor

Thank you @ginja_ninja  it doesn't make any sense why MS kept this requirement in numbers 

Iron Contributor

PowerShell commands doesn't work!

 

> get-user -isvip | select identity
get-user : The term 'get-user' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ get-user -isvip | select identity

Brass Contributor

To remove users you should use The set-user -vip:False not set-user -isvip:false. this is tricky for someone who don't pay much attention to details like most of the sysadmins. lol

Copper Contributor

Is it possible to view/set this flag using the Graph API? We already have existing process that set other attributes based on roles within our organization, and we'd like to include this in the existing process.

Copper Contributor

I added a group in our on-prem AD and synced it to Azure AD, then added that group to O365 Priority Account Protection. My question is, now when I add or remove users from that on-prem group and sync it to Azure AD, will it update my O365 Priority Accounts user list?

Copper Contributor

Can anyone please confirm me that do i need to assign Defender plan 2 to all members into priority account Tag as well? Or only one license is sufficient for user who is going to setup the policy.

Version history
Last update:
‎May 06 2021 11:45 AM
Updated by: