Apr 18 2020
- last edited on
Feb 07 2023
I refer to this existing post which neatly sums up my query: https://techcommunity.microsoft.com/t5/admin-center/admin-roles-for-user-accounts-vs-separate-admin-...
Basically is it a good idea with O365 admins to have a regular daily use account separate from the admin account and then only use the admin account as required in an incognito browser window and sign out when finished (MFA on all accounts regardless a given)?
Benefits I see:
I didn't think the admin account would need to be assigned an O365 licence but then I realised it would have no mailbox associated with it so how would it get admin alerts?
@Vasil Michev suggests Privileged Identity Management (PIM) is a better solution to this in the original post but that would more than double our monthly user cost as it requires Azure AD P2 and we are just using O365 Essentials with Azure AD basic right now.
So assuming PIM is not in our is having two accounts a good idea and if so does the admin account actually need an O365 licence to be able to receive email alerts?
Apr 18 2020 08:08 AM
You only need the Azure AD license for your admin(s), plus it adds some other goodness such as Conditional access policies, Azure AD identity protection and so on.
To your question, no, generally you don't need to have a license or a mailbox for the admin, there are very few functionalities that will not work without one. Alerts will be sent to the "alternative address" you specify when assigning an admin role.
Apr 19 2020 03:21 PM
@Vasil Michev Ahh wait I first read this message at about 3:30am Sunday morning - are you saying only the admin needs an AD Premium subscription to unlock all that stuff - not every user?
Apr 20 2020 09:06 AM
Define "all that stuff"? What I'm saying it that for PIM, you need only licenses for the admins. The other features will have varied license requirements, check the documentation.