- Create two “Break-a-Glass” Global Admins, as backup accounts. One with MFA – one without MFA.
- Limit the number of Global Admins to as few as possible.
- Use MFA and utilize a password length from 12 – 256 characters (length is better than complexed)
- Use the MS Authenticator App as the ‘preferred’ second-factor (non-channel jackable)
- Global Admins don’t need an Office 365 license.
- Use the Cloud Identity like globaladminname @ tenantname.onmicrosoft.com and not your globaladminname @ domain.com
- Always use a phone number and an alternative email address for the Global Admin accounts – Do NOT associate them with an employee or other unreachable mobile devices.
- Utilize the Customized/Limited administrator roles for other admins (you can assign more than one custom role to an Individual)
- Don’t Share Global admin credentials, so multiple people can log in using this, as you loose the ‘traceability’ of ‘who did what’
- Don’t browse/surf the Internet with your Admin role.
- Consider the use of Privileged Access Workstation (PAW) and Azure AD Privileged Identity Management (PIM)