Reducing the count of Global admin accounts in Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-234270%22%20slang%3D%22en-US%22%3EReducing%20the%20count%20of%20Global%20admin%20accounts%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234270%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20Folks%20%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%20I%20guess%20I'm%20probably%20not%20the%20only%20person%20who%20has%20asked%20this%20question%20in%20this%20forum%20but%20I'm%20here%20for%20some%20advice%20.%20I've%20been%20asked%20to%20figure%20out%20a%20way%20to%20reduce%20the%20Office%20365%20global%20admin%20accounts%20in%20our%20PROD%20tenant%20.%20While%20I%20do%20understand%20that%20it%20depends%20on%20the%20organization%20itself%20and%20the%20workloads%20which%20the%20admins%20are%20managing%20I'd%20like%20to%20know%20if%20there's%20something%20specific%20which%20I%20can%20think%20of%20to%20reduce%20the%20count%20.%20I%20decided%20to%20knock%20off%20the%20service%20accounts%20which%20has%20global%20admin%20access%20which%20is%20being%20used%20to%20run%20some%20scheduled%20scripts%20(%20I%20know%20having%20a%20service%20account%20with%20global%20admin%20access%20is%20a%20dumb%20thing%20to%20do%20but%20we%20just%20didn't%20have%20other%20alternatives%20)%20.%20The%20admins%20in%20the%20tenant%20manage%20multiple%20workloads%20hence%20it's%20not%20possible%20to%20give%20them%20role%20specific%20access%20.%20We%20thought%20of%20RBAC%20but%20event%20that%20didn't%20help%20.%20I%20got%20this%20life%20saver%20called%20PIM%20(Privileged%20Identity%20Management%20)%20but%20the%20architect%20team%20failed%20to%20onboard%20it%20.I%20know%20I%20have%20tried%20all%20the%20possibilities%20myself%20and%20since%20I'm%20left%20with%20none%20I'm%20here%20for%20some%20advice%20.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-234270%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234562%22%20slang%3D%22en-US%22%3ERe%3A%20Reducing%20the%20count%20of%20Global%20admin%20accounts%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234562%22%20slang%3D%22en-US%22%3EAgree%20with%20Magnus%20that%20PIMis%20probopy%20the%20next%20solution%20to%20achieve%20the%20requirements%20you've%20outlined.%3CBR%20%2F%3E%3CBR%20%2F%3EBen%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-234272%22%20slang%3D%22en-US%22%3ERe%3A%20Reducing%20the%20count%20of%20Global%20admin%20accounts%20in%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-234272%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Vignesh!%3C%2FP%3E%3CP%3EPerhaps%20not%20the%20answer%20you%20are%20looking%20for%20since%20it%20has%20been%20tried%20in%20your%20organization%20but%20I%20think%26nbsp%3B%3CSPAN%3EPrivileged%20Identity%20Management%20(PIM)%20is%20the%20solution%20you%20need%20in%20order%20to%20achieve%20what%20you%20are%20looking%20for.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%20Magnus%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hi Folks ,

  I guess I'm probably not the only person who has asked this question in this forum but I'm here for some advice . I've been asked to figure out a way to reduce the Office 365 global admin accounts in our PROD tenant . While I do understand that it depends on the organization itself and the workloads which the admins are managing I'd like to know if there's something specific which I can think of to reduce the count . I decided to knock off the service accounts which has global admin access which is being used to run some scheduled scripts ( I know having a service account with global admin access is a dumb thing to do but we just didn't have other alternatives ) . The admins in the tenant manage multiple workloads hence it's not possible to give them role specific access . We thought of RBAC but event that didn't help . I got this life saver called PIM (Privileged Identity Management ) but the architect team failed to onboard it .I know I have tried all the possibilities myself and since I'm left with none I'm here for some advice . 

2 Replies
Highlighted

Hi Vignesh!

Perhaps not the answer you are looking for since it has been tried in your organization but I think Privileged Identity Management (PIM) is the solution you need in order to achieve what you are looking for.

 

Regards, Magnus

Highlighted
Agree with Magnus that PIMis probopy the next solution to achieve the requirements you've outlined.

Ben