Best practise - Keeping a generic Office 365 Global Admin account free from all policies

Frequent Contributor

Quite a while ago, it was recommended to have a generic account for Office 365 to act as a sort of last resort if the regular synced accounts fail to login for some reasons. 


Anyone know if this is still recommended and what the recommendation would be regarding enforcing MFA for this account. 


Does Microsoft recommend an organisation keep a generic account in O365 with Global Admin privileges to get access to tenancy in worst case scenarios e.g. ADFS is down so regular federated accounts can't login, MFA is down again regular MFA enforced accounts can't login etc.

2 Replies

If you are using AD FS, yes it's recommended to have at least one cloud-only GA. Make sure to protect it via MFA though, or at the very least configure an Conditional access policy to require MFA on "unknown" locations.

Are you also aware of the Microsoft Secure Score? I would recommend you to evaluate how is your tenant in terms of security settings what will provide also information about your admin account(s)