Level 1 Contributor

Partner/Tenant global admin best practice?

I have an account with our own tenancy which I obviously use for email, OneDrive, SharePoint and so on. It's a global admin account and as a result, has global admin access to all of our tenants. For security I'm thinking it shouldn't be and I should create another account just for admin and PowerShell duties. We also have a "backup" global admin account on each of our client tenancies.


Does this make sense and seem the most secure approach or do other people have suggestions that may be better?




I agree that you should not use the global admin account for every-day work. So the best action is to create a new global admin account and then remove the permission from the current account. 


Think about a scenario were you are targeted with an attack - e.g. phishing email with attempt to steal credentials. If your day-to-day work account is targeted, the attacker immediately would get full control. Also you should think about implementing additional security measures for your global admins, like MFA + Conditional Access. 


Easiest option is to look at the secure score in Azure Security Center - this will give you a checklist of things to do: 


Also I suggest taking a look at this guidance explaining a few strategies on how you can enable additional controls, but still ensure resiliency: 


Also PIM could be part of the strategy - at least some of the less complex approaches - good summary on steps to take are here:


Also here the concept of identity governance: 



Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team