Protect your Office 365 global administrator accounts

Summary: Protect your Office 365 subscription from attacks based on the compromise of a global administrator account.

Security breaches of an Office 365 subscription, including information harvesting and phishing attacks, are typically done by compromising the credentials of an Office 365 global administrator account. Security in the cloud is a partnership between you and Microsoft:

  • Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications.

  • You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control.

Microsoft provides capabilities to help protect your organization, but they are effective only if you use them. If you do not use them, you may be vulnerable to attack. To protect your global administrator accounts, Microsoft is here to help you with detailed instructions to:

  1. Create dedicated Office 365 global administrator accounts and use them only when necessary.

  2. Configure multi-factor authentication for your dedicated Office 365 global administrator accounts and use the strongest form of secondary authentication.

Note

Although this article is focused on global administrator accounts, you should consider whether additional accounts with wide-ranging permissions to access the data in your subscription, such as eDiscovery administrator or security or compliance administrator accounts, should be protected in the same way.

Step 1. Create dedicated Office 365 global administrator accounts and use them only when necessary

There are relatively few administrative tasks, such as assigning roles to user accounts, that require global administrator privileges. Therefore, instead of using everyday user accounts that have been assigned the global admin role, do these steps:

  1. Determine the set of user accounts that have been assigned the global admin role. You can do this with Azure Active (Azure AD) Directory PowerShell for Graph command:
Get-AzureADDirectoryRole | where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName
  1. Sign into your Office 365 subscription with a user account that has been assigned the global admin role.

  2. Create at least one and up to a maximum of five dedicated global administrator user accounts. Use strong passwords at least 12 characters long. See Create a strong password for more information. Store the passwords for the new accounts in a secure location.

  3. Assign the global admin role to each of the new dedicated global administrator user accounts.

  4. Sign out of Office 365.

  5. Sign in with one of the new dedicated global administrator user accounts.

  6. For each existing user account that had been assigned the global admin role from step 1:

  • Remove the global admin role.

  • Assign admin roles to the account that are appropriate to that user's job function and responsibility. For more information about various admin roles in Office 365, see About Office 365 admin roles.

  1. Sign out of Office 365.

The result should be:

  • The only user accounts in your subscription that have the global admin role are the new set of dedicated global administrator accounts. Verify this with the following PowerShell command:

    Get-AzureADDirectoryRole | where { $_.DisplayName -eq "Company Administrator" } | Get-AzureADDirectoryRoleMember | Ft DisplayName
    
  • All other everyday user accounts that manage your subscription have admin roles assigned that are associated with their job responsibilities.

From this moment onward, you sign in with the dedicated global administrator accounts only for tasks that require global administrator privileges. All other Office 365 administration must be done by assigning other administration roles to user accounts.

Note

This does require additional steps to sign out as your everyday user account and sign in with a dedicated global administrator account. But this only needs to be done occasionally for global administrator operations. Consider that recovering your Office 365 subscription after a global administrator account breach requires a lot more steps.

Step 2. Configure multi-factor authentication for your dedicated Office 365 global administrator accounts and use the strongest form of secondary authentication

Multi-factor authentication (MFA) requires additional information beyond the account name and password. Office 365 supports these verification methods:

  • A phone call

  • A randomly generated pass code

  • A smart card (virtual or physical)

  • A biometric device

If you are a small business that is using user accounts stored only in the cloud (the cloud-only identity model), use these steps to configure MFA using a phone call or a text message verification code sent to a smart phone:

  1. Enable MFA.

  2. Set up 2-step verification for Office 365 to configure each dedicated global administrator account for phone call or text message as the verification method.

If you are a larger organization that is using an Office 365 hybrid identity model, you have more verification options. If you have the security infrastructure already in place for a stronger secondary authentication method, use these steps:

  1. Enable MFA.

  2. Set up 2-step verification for Office 365 to configure each dedicated global administrator account for the appropriate verification method.

If the security infrastructure for the desired stronger verification method is not in place and functioning for Office 365 MFA, we strongly recommend that you configure dedicated global administrator accounts with MFA using a phone call or a text message verification code sent to a smart phone for your global administrator accounts as an interim security measure. Do not leave your dedicated global administrator accounts without the additional protection provided by MFA.

For more information, see Plan for multi-factor authentication for Office 365 Deployments.

To connect to Office 365 services with MFA and PowerShell, see this article.

Additional protections for enterprise organizations

After steps 1 and 2, use these additional methods to ensure that your global administrator account, and the configuration that you perform using it, are as secure as possible.

Privileged access workstation

To ensure that the execution of highly privileged tasks is as secure as possible, use a privileged access workstation (PAW). A PAW is a dedicated computer that is only used for sensitive configuration tasks, such as Office 365 configuration that requires a global administrator account. Because this computer is not used daily for Internet browsing or email, it is better protected from Internet attacks and threats.

For instructions on how to set up a PAW, see http://aka.ms/cyberpaw.

Azure AD Privileged Identity Management

Rather than having your global administrator accounts be permanently assigned the global administrator role, you can use Azure AD Privileged Identity Management (PIM) to enable on-demand, just-in-time assignment of the global administrator role when it is needed.

Instead of your global administrator accounts being a permanent admin, they become eligible administrators. The global administrator role is inactive until someone needs it. You then complete an activation process to add the global administrator role to the global administrator account for a predetermined amount of time. When the time expires, PIM removes the global administrator role from the global administrator account.

Using PIM and this process significantly reduces the amount of time that your global administrator accounts are vulnerable to attack and use by malicious users.

For more information, see Configure Azure AD Privileged Identity Management.

Note

PIM is available with Azure AD Premium P2, which is included with Enterprise Mobility + Security (EMS) E5, or you can purchase individual licenses for your global administrator accounts.

Security information and event management (SIEM) software for Office 365 logging

SIEM software run on a server performs real-time analysis of security alerts and events created by applications and network hardware. To allow your SIEM server to include Office 365 security alerts and events in its analysis and reporting functions, integrate Azure AD into you SEIM. See Integrate logs from Azure resources into your SIEM systems.

Next step

If you're setting up identity for your Office 365 subscription, see:

See also

Office 365 security roadmap.