Business Office 365 accounts have at least one global administrator with godlike power over everyone’s business accounts and mailboxes. In our dangerous world, businesses have to protect that account fiercely. I could make a good argument that online security is more critical in 2019 than locking the door to secure the physical stuff in the office.
I want to suggest some best practices for every business with an Office 365 account. These suggestions are addressed to small businesses; medium to large companies have to take at least these basic precautions and probably should do more. (A bit more about that below.)
TL;DR
These are best practices for Office 365 security.
- No user should have global admin privileges. This is the important thing to change about your current setup.
- Set up two dedicated global admin accounts without licenses, with different secondary email addresses. Use complex passwords.
- Protect each global admin account with two-factor authentication AKA multi-factor authentication (MFA), with different methods to authenticate each account.
- Only administer the Office 365 account in incognito mode. Don’t save credentials and be sure to close the browser when you’re done.
The same principles apply to other cloud services like Box, Dropbox, Salesforce, and the rest.
There are additional details and suggestions in Microsoft’s tech note about security for global admin accounts. Here is a particularly detailed article about how to implement these best practices.
Set up two global admin accounts for Office 365
Microsoft allows Office 365 accounts to be set up without a license at no charge. Use unlicensed accounts for global admin access. No mailbox will be associated with them.
Once the global admin accounts are set up, log in as a global admin and remove global admin permissions from all other users. It doesn’t matter if it’s the owner of the company or the smart nearly-an-IT-person in the cubicle. Anyone can be fooled by a phishing message into giving up a mail password and having their account hacked. If it’s just a mailbox, that is a damaging event and no one has any fun. But if it’s a global admin account, the hackers can take down the entire company, change all the passwords, read all the email, insert poisoned rules into everyone’s mailbox, send spam from all accounts, and replace all the recovery information so that it’s difficult to get help from Microsoft.
Use the principle of “least privilege” to assign limited admin roles to users. Perhaps there’s a finance person who should be Billing Administrator, or an admin person demands to be User Administrator with power to reset passwords and set up new mailboxes. But no regular user should be a global admin.
If there are two accounts, there is always a point of entry for recovery if one account is compromised or a password is lost.
Complex passwords are required, of course, but they no longer provide sufficient security. Microsoft allows MFA to be set up for global admins for any Office 365 account for free, regardless of the type of license. Microsoft also offers many other layers of security that require expensive additional licenses, but MFA is free and should be considered an essential requirement now whenever it is available. Again, use a different method of authentication on each of the accounts so there is always a way to get into a global admin account in an emergency, even if a phone is lost that’s needed to authenticate one of the accounts.
Use incognito mode to administer the Office 365 account. Not only is it more secure, but it’s also easier because the browser won’t be confused and log you into your regular mailbox automatically. It should go without saying that you shouldn’t let the browser memorize the password. Microsoft prompts you separately to memorize the login; always answer No.
A glimpse at enterprise security
Before you decide to procrastinate because this all sounds like a lot of trouble, it’s worth taking a look at what the big kids do for security. Many enterprise security tools are effectively out of reach for small businesses. Most items require costly additional licenses from Microsoft, but more importantly, they are only possible with far more elaborate IT infrastructure and onsite IT staff to set things up and continuously test, evaluate, and troubleshoot it.
Privileged access workstation – the Office 365 admin portal (and other admin control panels) can only be accessed from special workstations with hardened security that cannot be used for any other purpose.
Azure AD Privileged Identity Management – no account has global admin privileges until a special process is completed that turns on one account for administration for a limited time. At the end of the time, the account’s permissions are turned off again.
Conditional access – the global admin account can only access the admin controls if it is in an approved location, or if the login attempt is being made from an approved device. Login attempts are blocked, even if someone has the password and can respond to MFA, if the login attempt comes from an unmanaged device or a network location not under control of the IT department.
Detection, alerts, and logging – the possibilities are endless. There are elaborate and complex controls in the Security & Compliance Center and Microsoft Cloud App Security.
Secure by default
One last point, in case it’s not clear. Office 365 is secure by default. You don’t have to do very much to ensure your data is protected. Microsoft’s systems have been designed and deployed by specialists who have built them to be secure from the ground up. Microsoft’s business model depends on keeping Office 365 secure.
The global admin account is the point of entry for your business into that secure system. Your obligation is to protect that account and prevent unauthorized entry, whether by accident or after a malicious attack. Take the time to put simple measures in place to harden that account.
Hello Bruce,
Thanks for this precious info. Is there a way to get notification /alerts when the global admins has no license.
Kind Regards,
Eric.
Yes! The global admin user profile includes an outside email address. Notices about all events that should be monitored by the global admin are sent to the alternate address.