Identifying Global Admins in MCAS?

%3CLINGO-SUB%20id%3D%22lingo-sub-711306%22%20slang%3D%22en-US%22%3EIdentifying%20Global%20Admins%20in%20MCAS%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-711306%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20looking%20to%20create%20a%20couple%20policies%20specifically%20around%20Global%20Admins%2C%20I'd%20like%20to%20identify%20two%20situations%3A%3C%2FP%3E%3CP%3E-When%20they%20change%20their%20passwords%3C%2FP%3E%3CP%3E-When%20they%20change%20their%20MFA%20settings%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20looking%2C%20and%20I%20see%20I%20can%20add%20an%20Azure%20AD%20account%20to%20MCAS%20to%20watch%2C%20but%20I%20don't%20see%20a%20way%20to%20add%20the%20Global%20Admin%20Directory%20role%2C%20anyone%20know%20how%20to%20do%20this%2C%20or%20have%20further%20insight%20into%20creating%20these%20policies%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-711306%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDirectory%20Roles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGlobal%20Admins%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecuring%20Privileged%20Accounts%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-715613%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Global%20Admins%20in%20MCAS%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-715613%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F363928%22%20target%3D%22_blank%22%3E%40Keith_Ch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20default%20there%20is%20a%20group%20%22Office%20365%20(default)%20administrator%22%20that%20includes%20the%20built%20in%20roles%20for%20AAD%20not%20just%20the%20Company%20Administrators.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20start%20here%20to%20create%20a%20query%20(then%20create%20a%20rule%20from%20the%20query)%20based%20on%20the%20activity%20you%20want%20to%20search%20for.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F120370iEC29B9776D1A36AF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20click%20on%20a%20user%20you%20can%20see%20which%20groups%26nbsp%3B%20%2F%20roles%20they%20are%20a%20member%20of.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F120372i048D0C3B55954313%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20not%20exactly%20what%20you%20are%20looking%20for%2C%20so%20I%20will%20bring%20this%20feedback%20back%20to%20the%20team%20for%20evaluation.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EGershon%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-721077%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Global%20Admins%20in%20MCAS%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-721077%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20response%2C%20I'll%20see%20if%20I%20can%20get%20this%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743620%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Global%20Admins%20in%20MCAS%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20was%20playing%20with%20this%20and%20I%20realized%20two%20things%2C%20first%20I%20thought%20you%20meant%20I%20could%20do%20additional%20filtering%20based%20on%20a%20query%2C%20given%20the%20fact%20that%20group%20contains%20all%20the%20roles%2C%20not%20just%20admin%20I%20think%20what%20I'm%20trying%20to%20do%20would%20probably%20create%20too%20much%20noise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20realized%20that%20this%20is%20anytime%20a%20user%20changes%20a%20password%2C%20including%20both%20their%20own%20password%2C%20and%20other%20passwords.%20How%20would%20I%20specify%20only%20my%20own%20password%3F%20%22Change%20user%20password.%22%20Basically%2C%20I%20want%20to%20make%20it%20so%20someone%20can't%20change%20their%20password%20if%20they're%20a%20global%20admin%2C%20they%20need%20the%20help%20of%20another%20global%20admin.%20So%20you%20need%20two%20administrators%20to%20change%20an%20administrator%20account%20password%2C%20or%20MFA%20settings.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

I'm looking to create a couple policies specifically around Global Admins, I'd like to identify two situations:

-When they change their passwords

-When they change their MFA settings

 

I was looking, and I see I can add an Azure AD account to MCAS to watch, but I don't see a way to add the Global Admin Directory role, anyone know how to do this, or have further insight into creating these policies?

3 Replies

Hi @Keith_Ch 

 

By default there is a group "Office 365 (default) administrator" that includes the built in roles for AAD not just the Company Administrators.  

 

You can start here to create a query (then create a rule from the query) based on the activity you want to search for. 

image.png

 

When you click on a user you can see which groups  / roles they are a member of. 

image.png

 

 

This not exactly what you are looking for, so I will bring this feedback back to the team for evaluation. 

Best

Gershon

 

@Gerson Levitz Thanks for the response, I'll see if I can get this working.

@Gerson Levitz 

So I was playing with this and I realized two things, first I thought you meant I could do additional filtering based on a query, given the fact that group contains all the roles, not just admin I think what I'm trying to do would probably create too much noise.

 

I also realized that this is anytime a user changes a password, including both their own password, and other passwords. How would I specify only my own password? "Change user password." Basically, I want to make it so someone can't change their password if they're a global admin, they need the help of another global admin. So you need two administrators to change an administrator account password, or MFA settings.