Sole 365 Admin - best way to protect Global Admin

Posted by Wide_Local_1896@reddit | sysadmin | View on Reddit | 31 comments

So as the title says. Sole admin. Managing Exchange, Intune, Entra, Security, Sharepoint, Teams

Have a backup GA set using Phishing resistant MFA and my account is setup with CA policies that enforce Phishing resistance.

I really don't like that I have GA but I'm in at least one of these things every day. Is the best way to assign myself to the 10+ admin roles I would need to accomplish GA access and remove my GA access?

I have LAPS setup for our desktop machines and GA gets admin access by default (would like a different role there too)

What do others do in a sole admin situation?

Thanks in advance

[-]

DuckDuckBadger@reddit

Assign yourself a P2 license and setup PIM. Activate roles when you need them and only for as long as you need them. Create a break glass GA account with strong MFA and properly secure MFA token.

[-]

post4u@reddit

I don't see that anyone posted this, so:

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

[-]

Jezbod@reddit

My day-to-day account is AD domain admin as we are hybrid.

I have to use a incognito browser to use my separate Global Admin account to access the consoles and do any work.

We also have a break glass global admin account that has the password stored in a sealed envelope, in a restricted access fire safe, with an up to date printed copy of the business continuity and disaster recovery plans.

[-]

post4u@reddit

We're hybrid too. None of our day to day accounts are domain admins. What is your reasoning behind that?

[-]

Technical-Zebra-8964@reddit

Stop using your every day account for global admin. Create a seperate one.

Next is CA policies. Create a CA policy for non persistent sessions.

Last is to use PIM activation on that global admin account with MFA required

[-]

DegaussedMixtape@reddit

We are implementing exactly this stack currently. CA+PIM gets you to a pretty good spot.

[-]

GinnyJr@reddit

Bump

[-]

czj420@reddit

Your account shouldn't have GA. GA accounts shouldn't be synced from onprem.

[-]

AdamoMeFecit@reddit

A note of caution relying on Conditional Access policies in this scenario. CA evaluation at authentication is a licensed feature. If your GA account does not have an assigned license that contains at least Entra ID P1 enablement, conditional access is not being assessed during authentication.

Most licenses that carry that enablement also enable Exchange Online mailboxes and Sharepoint repositories, which you really do not want your GA to have. Example: Microsoft 365 E5.

A standalone Entra ID P1/P2 license does exist. Microsoft guidance recommends GA accounts be assigned a minimum of P1 (for MFA and other conditional access enforcement). P2 is preferred in order to get PIM management and risk-based authentication enforcement, et al., which also are licensed features not granted by any role assignment.

Break glass accounts -- and only Break Glass accounts -- should be excluded from conditional access evaluation and can be unlicensed.

The best practice for sole practitioners like yourself would be two separate EntraID administrative accounts that live exclusively in EntraID and are not synchronized from an on-prem Active Directory infrastructure in a hybrid environment (i.e., do not cross administrative planes).

One account with lots of aggregated roles for day to day management, and a separate GA account, properly secured, which you pull out only when you actually need it.

And then, of course, a Break Glass account that you hope never to need.

In hybrid environments, a separate Domain Admin account for Active Directory, and a day to day administrator account to elevate privilege on endpoints, perform routine AD work, and so forth.

Unattached to all of that, your standard user account, which has email and all the other dirty detritus of everyday living glommed onto it.

Whoever is paying you is not paying you enough, I'm pretty sure.

[-]

cd36jvn@reddit

Are you sure this is correct?

I have my own user account with business premium. My admin account which is unlicensed still is controlled by conditional access.

This is a Microsoft quirk, their licensing is based on the honour system to a degree as there are lots of instances where buying one license of something enables it for the entire tenant. I'm pretty sure conditional access and p1 is one of those items.

So your unlicensed accounts are still protected, but come audit time you may not be.

But Microsoft does have a policy of one human one license. So if the same human has 3 different accounts, they just need licensing on one of them to satisfy licensing requirements.

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-id-governance-licensing-clarifications/4164499

At least that's how I interpret this blog post straight from the horses mouth.

[-]

Ronin_301@reddit

This has been my experience as well, with Entra P2 enablement via E5 licensing on our day-to-day accounts. None of our admin accounts are licensed but all are protected by our CA policies targeting them.

[-]

YaManMAffers@reddit

Break Glass account. It is a Global admin account with a VERY strong password that is never used unless an emergency.

[-]

GinnyJr@reddit

And stored offline in a safety deposit box or similar

[-]

MonkeyMan18975@reddit

Personal account for "daily driving"
Admin account with the minimum necessary access assigned to accomplish administrative tasks; assign to "low level admin" group. Monitor logs for unexpected logins.
Break glass account that is GA. Store the password securely and only use in an emergency. Monitor logs for unexpected logins.

You use #1 every day, email, office, etc. You login as #2 when you need to do administrative tasks. You log in to #3 when you need to do tenant level changes.

As for LAPS, I'd remove local admin and instead of the GA, I'd use the "low level admin" group so your admin account can elevate.

[-]

GinnyJr@reddit

Perfect response

[-]

Wide_Local_1896@reddit (OP)

Is there a role in Entra outside of GA that can get admin access to desktops? I was having trouble finding one.

[-]

Loudergood@reddit

Use LAPS instead

[-]

MonkeyMan18975@reddit

Check out the section talking about managing local groups

Manage account protection settings with endpoint security policies in Microsoft Intune - Microsoft Intune | Microsoft Learn

[-]

WibbleNZ@reddit

Microsoft Entra Joined Device Local Administrator

[-]

bjc1960@reddit

We have 4 backup keys scattered across the USA with the executive team in case I die. People die every day in this country. I have worked in places where someone didn't come in one day. Desk cleaned out the next day, person passed away (while sleeping, another in a motorcycle accident.) I am not the only person with a GA secondary pimmed account but we need to consider mass casualty events, geographic events, employee violence, etc.

[-]

adappergentlefolk@reddit

have a set of trusted coworkers that can approve your GA admin elevation when you need it. four eyes principle means your account stops being automatically exploitable

[-]

hihcadore@reddit

Approach admin creds like an onion.

Your regular daily use account has no admin roles.

A desktop admin account that handles endpoint administration requirements.

A server admin account that handles admin requirements on servers or non-endpoints.

And a global admin account.

A breakglass global admin account with a yubikey for MFA. Give it to the owner in an envelope with login instructions and with the brief only use if I die in a firey car crash or you fire me and please keep this in the safe.

[-]

KandevDev@reddit

emergency-access ("break glass") account with a 30-char random password printed and locked in a safe + a separate hardware key. that account is never used, never touched by automation, never logged into. when your day-to-day GA gets locked out or your phishing-resistant MFA breaks at 2am you have one path back in. without it you are calling microsoft support and waiting 4 days.

[-]

OregonTechHead@reddit

I'll add that this account should also be monitored and alerts sent every time it is logged into.

[-]

KandevDev@reddit

yeah, alerting on every break-glass login is essential and i forgot to mention it. specifically: not just to email but to a channel that is monitored even when the alerted-person is sleeping (sms, pagerduty, whatever your team uses). a break-glass login at 3am that nobody sees until 9am is half a security incident already.

[-]

plump-lamp@reddit

Backup GA with a yubikey. Lock it up, that's it

[-]

Cormacolinde@reddit

Two GAs with two Yubikeys in two separate locations. Both GAs on each key.

[-]

Rawme9@reddit

+1. It's how our company does it. 2 envelopes per break glass account kept in different physical locations.

[-]

Sroni4967@reddit

break glass account with a hardware key stored in a safe works fine

[-]

GradeAccomplished322@reddit

I would make sure my day to day account isn't an admin

Regular admin account for day to day maintenance

I would have a backup admin account that auths with a physical token or something functionally similar that cant be trivially stolen.

Maybe let the company owner know the process for retrieving and using it in case you end up hosptialized and he needs to do something, maybe with written and printed instructions for foreseeable normal processes like unlocking users (the instructions should lack the safe code or whatever where the key is in case the instructions are stolen). One day you will be getting emergency dental work on the same day someone locks themselves out before a big deal is inked or something like that.

[-]

StevenH1901@reddit

You can assign yourself all admin roles, including GA, then go to start using PIM so you’re only activating what is needed at that moment.