Best Practices for Configuring the Global Admin Account in Office 365
Use the following best practices to secure your Global Admin account in Microsoft Office 365.
- For maximum security, use the maximum allowed password length for your Global Admin accounts.
NOTE: The maximum password length used to be 16 characters with no spaces. As of May 14, 2019, Azure Active Directory supports passwords up to 256 characters and they can contain spaces.
- Always create at least one additional Global Admin account as a backup. This account doesn’t need an Office 365 license.
- Instead of using AdminName@YourDomain.com account for the Global Admin account, use the AdminName@YourDomain.onmicrosoft.com account and DO NOT assign any licenses.
- Don’t use your Global Admin account to do your daily tasks. Create a separate account for Global Admin. For example, Trisha@Contoso.com for daily activities and TrishaAdmin@Contoso.com for administrative duties.
- Create at least two emergency access accounts (also known as break glass accounts) that are meant to be used only during an emergency. Exclude the emergency account from all security policies and phone-based multi-factor authentication.
- Always use a phone number and an Alternative email address for your Global Admin account so it can be used for verification by Microsoft, if there’s a need.
- Limit the number of Global Admins in your organization to as few as possible. The rest of the administrators should be assigned a Customized administrator role, such as Billing administrator, Dynamics 365 service administrator, Exchange administrator, Password administrator, Skype for Business administrator, Power BI service administrator, Reports reader, Service administrator, SharePoint administrator, or User management administrator. Keep in mind you can assign multiple roles to an individual.
Useful Links
Here are some links that you may find helpful.
- Password Recommendations for Microsoft Accounts
- Setup Multi-Factor Authentication for Office 365 Users
- Best Practices for Configuring Multi-factor Authentication in Office 365
- Microsoft Authenticator to Allow Phone Sign In Without a Password
- Manage emergency access administrator accounts
Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. |
Copyright © 2019 SeattlePro Enterprises, LLC. All rights reserved.