‘Best Practices’ for Configuring Global Admin Accounts

  1. Create two “Break-a-Glass” Global Admins, as backup accounts. One with MFA – one without MFA.
  2. Limit the number of Global Admins to as few as possible.
  3. Use MFA and utilize a password length from 12 – 256 characters (length is better than complexed)
  4. Use the MS Authenticator App as the ‘preferred’ second-factor (non-channel jackable)
  5. Global Admins don’t need an Office 365 license.
  6. Use the Cloud Identity like globaladminname @ tenantname.onmicrosoft.com and not your globaladminname @ domain.com
  7. Always use a phone number and an alternative email address for the Global Admin accounts – Do NOT associate them with an employee or other unreachable mobile devices.
  8. Utilize the Customized/Limited administrator roles for other admins (you can assign more than one custom role to an Individual)
  9. Don’t Share Global admin credentials, so multiple people can log in using this, as you loose the ‘traceability’ of ‘who did what’
  10. Don’t browse/surf the Internet with your Admin role.
  11. Consider the use of Privileged Access Workstation (PAW) and Azure AD Privileged Identity Management (PIM)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: