I've been working with Microsoft with accessing Security and Compliance. External Azure AD accounts need access to Security and Compliance on Office 365. Their official response is to create a Global Admin user on the tenant and login with that account. I replied that I have multiple technicians, and sharing an account is less secure and effective. It raises these concerns:
- If I turn over an employee, I need to change the global admin password for every tenant immediately, a potential nightmare. - If there is an issue that's created with this login, my client can only point to my organization but not an individual. - Creating more global admin accounts than needed creates more infiltration vectors. - Global Admins require MFA enabled, and all my technicians have different phones and numbers, so I can't set MFA, but it's required.
Microsoft's response here is to create an account for each technician on each tenant.... which then multiplys all the issues stated above (especially employee termination and infiltration vectors).
We used to use our partner account which was AD-specific, highly guarded because it's ours, able to be audited to a single person (me), compliant for all regulations, and the right solution. This solution of a shared account is a disaster waiting to happen.
The solution is to enable external users access to tenants and include that information in auditing, and Office 365/Azure AD is set up to do exactly that, but why it's not a top priority is perplexing, and the engineers who've worked my 3-month ticket have said they aren't changing it.
The solution as implemented is not well designed and highly vulnerable. Partners cannot differentiate between which employee was the concern, and as such, will lose business from the client. Having 10 Global Admin accounts on every tenant isn't the right answer, either, is it? Less is better in that scenario. And sharing an account? Well, that's just a worst practice.