Protect your Office 365 global administrator accounts
Summary: Protect your Office 365 subscription from attacks based on the compromise of a global administrator account.
Security breaches of an Office 365 subscription, including information harvesting and phishing attacks, are typically done by compromising the credentials of an Office 365 global administrator account. Security in the cloud is a partnership between you and Microsoft:
Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications.
You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control.
Microsoft provides capabilities to help protect your organization, but they are effective only if you use them. If you do not use them, you may be vulnerable to attack. To protect your global administrator accounts, Microsoft is here to help you with detailed instructions to:
Create dedicated Office 365 global administrator accounts and use them only when necessary.
Configure multi-factor authentication for your dedicated Office 365 global administrator accounts and use the strongest form of secondary authentication.
Enable and configure Office 365 Cloud App Security to monitor for suspicious global administrator account activity.
Although this article is focused on global administrator accounts, you should also consider whether additional accounts with wide-ranging permissions to access the data in your subscription, such as eDiscovery administrator or security or compliance administrator accounts, should be protected in the same way.
Step 1. Create dedicated Office 365 global administrator accounts and use them only when necessary
There are relatively few administrative tasks, such as assigning roles to user accounts, that require global administrator privileges. Therefore, instead of using everyday user accounts that have been assigned the global admin role, do these steps:
- Determine the set of user accounts that have been assigned the global admin role. You can do this with this command at the Microsoft Azure Active Directory Module for Windows PowerShell command prompt:
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId
Sign into your Office 365 subscription with a user account that has been assigned the global admin role.
Create at least one and up to a maximum of five dedicated global administrator user accounts. Use strong passwords at least 12 characters long. See Create a strong password for more information. Store the passwords for the new accounts in a secure location.
Assign the global admin role to each of the new dedicated global administrator user accounts.
Sign out of Office 365.
Sign in with one of the new dedicated global administrator user accounts.
For each existing user account that had been assigned the global admin role from step 1:
Remove the global admin role.
Assign admin roles to the account that are appropriate to that user's job function and responsibility. For more information about various admin roles in Office 365, see About Office 365 admin roles.
- Sign out of Office 365.
The result should be:
The only user accounts in your subscription that have the global admin role are the new set of dedicated global administrator accounts. Verify this with the following PowerShell command:
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId
All other everyday user accounts that manage your subscription have admin roles assigned that are associated with their job responsibilities.
From this moment onward, you sign in with the dedicated global administrator accounts only for tasks that require global administrator privileges. All other Office 365 administration must be done by assigning other administration roles to user accounts.
Yes, this requires additional steps to sign out as your everyday user account and sign in with a dedicated global administrator account. But this only needs to be done occasionally for global administrator operations. Consider that recovering your Office 365 subscription after a global administrator account breach requires a lot more steps.
Step 2. Configure multi-factor authentication for your dedicated Office 365 global administrator accounts and use the strongest form of secondary authentication
Multi-factor authentication (MFA) for your global administrator accounts requires additional information beyond the account name and password. Office 365 supports these verification methods:
A phone call
A randomly generated pass code
A smart card (virtual or physical)
A biometric device
If you are a small business that is using user accounts stored only in the cloud (the cloud identity model), use these steps to configure MFA using a phone call or a text message verification code sent to a smart phone:
Set up 2-step verification for Office 365 to configure each dedicated global administrator account for phone call or text message as the verification method.
If you are a larger organization that is using an Office 365 hybrid identity model, you have more verification options. If you have the security infrastructure already in place for a stronger secondary authentication method, use these steps:
Set up 2-step verification for Office 365 to configure each dedicated global administrator account for the appropriate verification method.
If the security infrastructure for the desired stronger verification method is not in place and functioning for Office 365 MFA, we strongly recommend that you configure dedicated global administrator accounts with MFA using a phone call or a text message verification code sent to a smart phone for your global administrator accounts as an interim security measure. Do not leave your dedicated global administrator accounts without the additional protection provided by MFA.
For more information, see Plan for multi-factor authentication for Office 365 Deployments.
To connect to Office 365 services with MFA and PowerShell, see this article.
Step 3. Monitor for suspicious global administrator account activity
Office 365 Cloud App Security lets you create policies to notify you of suspicious behavior in your subscription. Cloud App Security is built into Office 365 E5, but is also available as a separate service. For example, if you do not have Office 365 E5, you can purchase individual Cloud App Security licenses for the user accounts that are assigned the global administrator, security administrator, and compliance administrator roles.
If you have Cloud App Security in your Office 365 subscription, use these steps:
Sign into the Office 365 portal with an account that is assigned the Security Administrator or Compliance Administrator role.
Review your Anomaly detection policies in Office 365 Cloud App Security to notify you by email of anomalous patterns of privileged administrative activity.
To add a user account to the Security Administrator role, connect to Office 365 PowerShell with a dedicated global administrator account and MFA, fill in the user principal name of the user account, and then run these commands:
$upn="<User principal name of the account>" Add-MsolRoleMember -RoleMemberEmailAddress $upn -RoleName "Security Administrator"
To add a user account to the Compliance Administrator role, fill in the user principal name of the user account, and then run these commands:
$upn="<User principal name of the account>" Add-MsolRoleMember -RoleMemberEmailAddress $upn -RoleName "Compliance Administrator"
Additional protections for enterprise organizations
After steps 1-3, use these additional methods to ensure that your global administrator account, and the configuration that you perform using it, are as secure as possible.
Privileged Access Workstation (PAW)
To ensure that the execution of highly privileged tasks is as secure as possible, use a PAW. A PAW is a dedicated computer that is only used for sensitive configuration tasks, such as Office 365 configuration that requires a global administrator account. Because this computer is not used daily for Internet browsing or email, it is better protected from Internet attacks and threats.
For instructions on how to set up a PAW, see http://aka.ms/cyberpaw.
Azure AD Privileged Identity Management (PIM)
Rather than having your global administrator accounts be permanently assigned the global administrator role, you can use Azure AD PIM to enable on-demand, just-in-time assignment of the global administrator role when it is needed.
Instead of your global administrator accounts being a permanent admin, they become eligible administrators. The global administrator role is inactive until someone needs it. You then complete an activation process to add the global administrator role to the global administrator account for a predetermined amount of time. When the time expires, PIM removes the global administrator role from the global administrator account.
Using PIM and this process significantly reduces the amount of time that your global administrator accounts are vulnerable to attack and use by malicious users.
For more information, see Configure Azure AD Privileged Identity Management.
PIM is available with Azure Active Directory Premium P2, which is included with Enterprise Mobility + Security (EMS) E5, or you can purchase individual licenses for your global administrator accounts.
Security information and event management (SIEM) software for Office 365 logging
SIEM software run on a server performs real-time analysis of security alerts and events created by applications and network hardware. To allow your SIEM server to include Office 365 security alerts and events in its analysis and reporting functions, integrate these in your SIEM system:
For more information, see Integrate logs from Azure resources into your SIEM systems.
Office 365 Cloud App Security
For more information, see Integrate your SIEM server with Office 365 Cloud App Security.