Partner/Tenant global admin best practice?
I have an account with our own tenancy which I obviously use for email, OneDrive, SharePoint and so on. It's a global admin account and as a result, has global admin access to all of our tenants. For security I'm thinking it shouldn't be and I should create another account just for admin and PowerShell duties. We also have a "backup" global admin account on each of our client tenancies.
Does this make sense and seem the most secure approach or do other people have suggestions that may be better?
I agree that you should not use the global admin account for every-day work. So the best action is to create a new global admin account and then remove the permission from the current account.
Think about a scenario were you are targeted with an attack - e.g. phishing email with attempt to steal credentials. If your day-to-day work account is targeted, the attacker immediately would get full control. Also you should think about implementing additional security measures for your global admins, like MFA + Conditional Access.
Easiest option is to look at the secure score in Azure Security Center - this will give you a checklist of things to do: https://docs.microsoft.com/en-us/azure/security-center/security-center-secure-score
Also I suggest taking a look at this guidance explaining a few strategies on how you can enable additional controls, but still ensure resiliency: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls
Also PIM could be part of the strategy - at least some of the less complex approaches - good summary on steps to take are here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json
Also here the concept of identity governance: https://docs.microsoft.com/en-us/azure/active-directory/governance/
Receive consultations via Technical Presales and Deployment Services team