Protect your Office 365 global administrator accounts

Summary: Protect your global administrator accounts with these steps.

To better protect your Office 365 subscription from attacks based on the compromise of a global administrator account, you must do the following right now:

  1. Create dedicated Office 365 global administrator accounts and use them only when necessary.

  2. Configure multi-factor authentication for your dedicated Office 365 global administrator accounts and use the strongest form of secondary authentication.

  3. Enable and configure Office 365 Cloud App Security to monitor for suspicious global administrator account activity.

Security breaches of an Office 365 subscription, including information harvesting and phishing attacks, are typically done by compromising the credentials of an Office 365 global administrator account. Security in the cloud is a partnership between you and Microsoft:

  • Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications.

  • You own your data and identities and the responsibility for protecting them, the security of your on-premises resources, and the security of cloud components you control.

To protect yourself, you must put in place the controls and capabilities that Microsoft provides.

Note: Although this article is focused on global administrator accounts, you should also consider whether additional accounts with wide-ranging permissions to access the data in your subscription, such as eDiscovery administrator or security or compliance administrator accounts, should be protected in the same way.

Phase 1. Create dedicated Office 365 global administrator accounts and use them only when necessary

There are relatively few administrative tasks, such as assigning roles to user accounts, that require global administrator privileges. Therefore, instead of using everyday user accounts that have been assigned the global admin role, do the following immediately:

  1. Determine the set of user accounts that have been assigned the global admin role. You can do this in Office 365 PowerShell with this command:

    Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId
  2. Sign into your Office 365 subscription with a user account that has been assigned the global admin role.

  3. Create at least one and up to a maximum of five dedicated global administrator user accounts. Use strong passwords at least 12 characters long. Store the passwords for the new accounts in a secure location.

  4. Assign the global admin role to each of the new dedicated global administrator user accounts.

  5. Sign out of Office 365.

  6. Sign in with one of the new dedicated global administrator user accounts.

  7. For each existing user account that had been assigned the global admin role from step 1:

    • Remove the global admin role.

    • Assign admin roles to the account that are appropriate to that user’s job function and responsibility. For more information about various admin roles in Office 365, see About Office 365 admin roles.

  8. Sign out of Office 365.

The result should be the following:

  • The only user accounts in your subscription that have the global admin role are the new set of dedicated global administrator accounts. Verify this with the following PowerShell command at the Windows Azure Active Directory Module for Windows PowerShell command prompt:

    Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId
  • All other everyday user accounts that manage your subscription have admin roles assigned that are associated with their job responsibilities.

From this moment onward, you sign in with the dedicated global administrator accounts only for tasks that require global administrator privileges. All other Office 365 administration must be done by assigning other administration roles to user accounts.

Note: Yes, this requires additional steps to sign out as your everyday user account and sign in with a dedicated global administrator account. But this only needs to be done occasionally for global administrator operations. Consider that recovering your Office 365 subscription after a global administrator account breach requires a lot more steps.

Phase 2. Configure multi-factor authentication for your dedicated Office 365 global administrator accounts and use the strongest form of secondary authentication

Multi-factor authentication (MFA) for your global administrator accounts requires additional information beyond the account name and password. Office 365 supports the following verification methods:

  • A phone call

  • A randomly generated pass code

  • A smart card (virtual or physical)

  • A biometric device

If you are a small business that is using user accounts stored only in the cloud (the cloud identity model), do the following immediately to configure MFA using a phone call or a text message verification code sent to a smart phone:

  1. Enable MFA.

  2. Set up 2-step verification for Office 365 to configure each dedicated global administrator account for phone call or text message as the verification method.

If you are a larger organization that is using the synchronized or federated Office 365 identity models, you have more verification options. If you have the security infrastructure already in place for a stronger secondary authentication method, do the following immediately:

  1. Enable MFA.

  2. Set up 2-step verification for Office 365 to configure each dedicated global administrator account for the appropriate verification method.

If the security infrastructure for the desired stronger verification method is not in place and functioning for Office 365 MFA, we strongly recommend that you immediately configure dedicated global administrator accounts with MFA using a phone call or a text message verification code sent to a smart phone for your global administrator accounts as an interim security measure. Do not leave your dedicated global administrator accounts without the additional protection provided by MFA.

For more information, see Plan for multi-factor authentication for Office 365 Deployments.

To connect to Office 365 services with MFA and PowerShell, see this article.

Phase 3. Enable and configure Office 365 Cloud App Security to monitor for suspicious global administrator account activity

Office 365 Cloud App Security allows you to create policies to notify you of suspicious behavior in your subscription. Cloud App Security is built into Office 365 E5, but is also available as a separate service. For example, if you do not have Office 365 E5, you can purchase individual Cloud App Security licenses for the user accounts that are assigned the global administrator, security administrator, and compliance administrator roles.

If you have Cloud App Security in your Office 365 subscription, do the following immediately:

  1. Sign into the Office 365 portal with an account that is assigned the Security Administrator or Compliance Administrator role.

  2. Turn on Office 365 Cloud App Security.

  3. Create anomaly detection policies to notify you by email of anomalous patterns of privileged administrative activity.

To add a user account to the Security Administrator role, connect to Office 365 PowerShell with a dedicated global administrator account and MFA, fill in the user principal name of the user account, and then run the following commands:

$upn="<User principal name of the account>"
Add-MsolRoleMember -RoleMemberEmailAddress $upn -RoleName "Security Administrator"

To add a user account to the Compliance Administrator role, fill in the user principal name of the user account, and then run the following commands:

$upn="<User principal name of the account>"
Add-MsolRoleMember -RoleMemberEmailAddress  $upn -RoleName "Compliance Administrator"

Additional protections for your global administrator accounts

After Phases 1-3, use these additional methods to ensure that your global administrator account, and the configuration that you perform using it, are as secure as possible.

Privileged Access Workstation (PAW)

To ensure that the execution of highly privileged tasks is as secure as possible, use a PAW. A PAW is a dedicated computer that is only used for sensitive configuration tasks, such as Office 365 configuration that requires a global administrator account. Because this computer is not used daily for Internet browsing or email, it is better protected from Internet attacks and threats.

For instructions on how to set up a PAW, see http://aka.ms/cyberpaw.

Azure AD Privileged Identity Management (PIM)

Rather than having your global administrator accounts be permanently assigned the global administrator role, you can use Azure AD PIM to enable on-demand, just-in-time assignment of the global administrator role when it is needed.

On other words, instead of your global administrator accounts being a permanent admin, they become eligible admins. The global administrator role is inactive until someone needs it. You then complete an activation process to add the global administrator role to the global administrator account for a predetermined amount of time. When the time expires, PIM removes the global administrator role from the global administrator account.

Using PIM and this process significantly reduces the amount of time that your global administrator accounts are vulnerable to attack and use by malicious users.

For more information, see Configure Azure AD Privileged Identity Management.

Note: PIM is available with Azure Active Directory Premium P2, which is included with Enterprise Mobility + Security (EMS) E5, or you can purchase individual licenses for your global administrator accounts.

Security information and event management (SIEM) software for Office 365 logging

SIEM software and a server that runs it performs real-time analysis of security alerts and events created by applications and network hardware. To allow your SIEM server to include Office 365 security alerts and events in its analysis and reporting functions, integrate the following in your SIEM system:

Next step

See Security best practices for Office 365.

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×