When it comes to security “best practices” there are some that are debatable and others that are fairly well accepted. One that is difficult to argue against is that administrators should maintain an account with elevated access that is separate from their day-to-day user account (see note at the bottom for a possible argument against this “difficult to argue” point).
For Office 365, there are a number of roles available with varied level of elevated access. Despite this, I still see many administrators with their “user” account assigned the “Global Administrator” role. In the Office 365 realm, this role has more privileges than a “Domain Admin” would typically have in the on-premises environment. A “Global Admin” account, if compromised, could certainly do some dastardly things.
One role that I rarely see used is the “Service Administrator” role. By definition, this role can “manage service requests and monitor service health”. When you look at the permissions the “Service Administrator” has, it’s not much. It can basically view user information and open support tickets.
What you do get with the “Service Administrator” role is the ability to view the current health of your tenant via the dashboard. Additionally, I have seen Microsoft send notifications to the “Service Administrator” role such as the notification discussed in this post: “Microsoft’s Proactive Notification of User Issues“.
Since you’re likely logging into the Office 365 portal daily with your “user” account (to access email, OneDrive for Business, SharePoint Online), it can be beneficial to be able to see the service health or other important alerts such as an expiring AD FS certificate (like below) as part of your daily activity.
Adding your “day-to-day” user account to the “Service Administrators” role provides the benefit of increased awareness with minimal additional elevated privileges to be concerned about.
As for your “Global Administrator” account, I would love to say that we should enable multi-factor authentication (MFA) for this account. Unfortunately, Remote PowerShell doesn’t currently work with MFA and if you’re using your admin account, you’re probably using PowerShell at least half the time. Hopefully this will change in the future, in the meantime, protect it as much as possible with a secure password.
Additional Thoughts…
As my colleague Allan Bourne pointed out, “Just In Time Access” is quite possibly the future replacement for maintaining a secondary admin account. Azure AD has such functionality available in preview, check out “Azure AD Privileged Identity Management” for more information.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.