The Best things to do with Microsoft 365
Privileged Accounts - WST

We continue our series on basic and helpful security tips for your Microsoft 365 instance. Keep in mind, some of these tips require 365 Business Premium or Enterprise subscriptions, and can be configured in multiple locations, including Conditional Access policies.

Break glass in case of the “lottery bus”

We’ve talked about Multi-factor Authentication (MFA), and how important it is to add that additional layer of security to 365 applications for user-owned accounts and the NPI contained therein.

We are going to break from that philosophy, but only for one exception, and that is a break-glass account. In a scenario where you have lost control and can’t access your 365 instance, whether it’s getting hit by the proverbial “Bus” / winning the lottery, or a disgruntled employee, or your subscription has been hacked by the latest pesky nation state, it’s a good idea to have an emergency access account.

The user account should be created and maintained in the cloud, and not part of your Active Directory sync. It should be in the Global Admins role, and should be listed as a company admin. Obfuscate the username so it’s intended use is not apparent. Give the account an email address so you know when any password change attempts are made. The password should have the maximum number of characters, not be easily memorized, use all the special characters, and so on. And here’s the kicker: It’s recommended that the account should not be subject to any form of MFA, Conditional Access policies, or other restrictions. Security tokens and excessively restrictive policies can interfere with using the account for its intended purpose during an emergency.

You might be wondering how to manage not having MFA or where to store said password. Well, on the cheap side, for institutions that have them, put the credentials in a dual control safe deposit box. Or consider storing the break glass credentials (and all your other service-related accounts) in an encrypted on-premise password vault, preferably one that includes additional controls, like check-outs, mandatory password reset on check-in, and email and text notifications when any of those activities take place.

Limit the number of Global Admin role users and limit administrator privileges

There are many built-in roles within the 365 environment designed to help with the administration of 365 and Azure. Limit administrators to only the level of access they need to accomplish their given job duties. It is best practice to limit the number of Global Admins you have within the environment to anywhere from two to four administrators. Notice how we say two Global Admin users. Never limit absolute control of your 365 instance to any one person. As we mentioned last week, people are unpredictable, and you never know when they may win the lottery.

Restrict non-admin user access to the admin portals

This is another easy win. Removing the ability for any user that is not in an admin role group falls in the least privileged access concept

Look for more Microsoft 356 tips in the coming weeks!

Authored by: Mike Smith, AWS-CCP