Jun 20 2019 09:36 AM
Hi,
I'm looking to create a couple policies specifically around Global Admins, I'd like to identify two situations:
-When they change their passwords
-When they change their MFA settings
I was looking, and I see I can add an Azure AD account to MCAS to watch, but I don't see a way to add the Global Admin Directory role, anyone know how to do this, or have further insight into creating these policies?
Jun 23 2019 03:31 AM - edited Jun 23 2019 03:34 AM
Hi @Keith_Ch
By default there is a group "Office 365 (default) administrator" that includes the built in roles for AAD not just the Company Administrators.
You can start here to create a query (then create a rule from the query) based on the activity you want to search for.
When you click on a user you can see which groups / roles they are a member of.
This not exactly what you are looking for, so I will bring this feedback back to the team for evaluation.
Best
Gershon
Jun 25 2019 11:37 PM
@Gerson Levitz Thanks for the response, I'll see if I can get this working.
Jul 08 2019 02:27 PM
So I was playing with this and I realized two things, first I thought you meant I could do additional filtering based on a query, given the fact that group contains all the roles, not just admin I think what I'm trying to do would probably create too much noise.
I also realized that this is anytime a user changes a password, including both their own password, and other passwords. How would I specify only my own password? "Change user password." Basically, I want to make it so someone can't change their password if they're a global admin, they need the help of another global admin. So you need two administrators to change an administrator account password, or MFA settings.