If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.Īssign Administrator roles using Role-based Access Control (RBAC): Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. These accounts are internet accessible because they are hosted in the cloud. The new feature, called “Security Defaults,” assists with enforcing administrators’ usage of MFA.
Microsoft has moved towards a “Secure by default” model, but even this must be enabled by the customer.
Multi-factor authentication (MFA) is not enabled by default for these accounts. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. This is equivalent to the Domain Administrator in an on-premises AD environment.
The following list contains recommended configurations when deploying O365:Įnable multi-factor authentication for administrator accounts: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level.
