Reply
Procradminator
Level 1 Contributor

Partner/Tenant global admin best practice?

I have an account with our own tenancy which I obviously use for email, OneDrive, SharePoint and so on. It's a global admin account and as a result, has global admin access to all of our tenants. For security I'm thinking it shouldn't be and I should create another account just for admin and PowerShell duties. We also have a "backup" global admin account on each of our client tenancies.

 

Does this make sense and seem the most secure approach or do other people have suggestions that may be better?

 

TIA

1 REPLY 1
JanoschUlmer
Microsoft

I agree that you should not use the global admin account for every-day work. So the best action is to create a new global admin account and then remove the permission from the current account. 

 

Think about a scenario were you are targeted with an attack - e.g. phishing email with attempt to steal credentials. If your day-to-day work account is targeted, the attacker immediately would get full control. Also you should think about implementing additional security measures for your global admins, like MFA + Conditional Access. 

 

Easiest option is to look at the secure score in Azure Security Center - this will give you a checklist of things to do: https://docs.microsoft.com/en-us/azure/security-center/security-center-secure-score 

 

Also I suggest taking a look at this guidance explaining a few strategies on how you can enable additional controls, but still ensure resiliency: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls 

 

Also PIM could be part of the strategy - at least some of the less complex approaches - good summary on steps to take are here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json

 

Also here the concept of identity governance: https://docs.microsoft.com/en-us/azure/active-directory/governance/ 

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team