Consultant’s Corner

Welcome to Quorum’s Consultant’s Corner. A place where our Consulting team can drop knowledge, talk about the issues that are currently on their minds, give us an insight into their passions, or just have a good old rant.

These articles won’t be released with any specific cadence, but they will always be useful and topical!

While the Global Administrator (Admin) role in Azure Active Directory (AD) empowers users to oversee the entire directory, granting them unparalleled control and access, this level of privilege comes with a caveat: it is a double-edged sword. In the wrong hands or when misused, the Global Admin role can inadvertently expose your business to significant security risks, data breaches, and operational chaos.

Over the years, I’ve worked with companies of various sizes, small start-ups to global multinational organisations, Public Sector, Health Care, Education, and Local and National Governments. All of these use Office 365 and Azure AD (Microsoft Entra ID).

One of the most common observations I have made over the years is the use of, and the number of, Global Admins. Regardless of the number of users a company has, it’s the same issue, too many Global Admins! You’ve heard the phrase “too many cooks spoil the broth” well, my phrase in this case would be “too many Global Admins spoil the security”.

We’ve all been guilty of requesting the Global Admin role in order to do a task, myself included. Is the Global Admin role really the right role for the task? Most of the time the answer will be no. But it’s easier to request that role as it covers all aspects of management in Azure AD (Microsoft Entra ID). This is the exact reason we should not be requesting it! Not just to reduce the attack surface, but also to protect the Azure AD (Microsoft Entra ID) Tenant from human error and an admin accidentally deleting a user, resource or group or making a change in the tenant that affects all users. More often than not, from what I have seen, this role is also permanently assigned.

Best Practice

Looking at the Microsoft recommendations and best practices for the Global Admins there should be no more than five in an Azure AD (Microsoft Entra ID) Tenant, two of which should be your break glass accounts. Companies I have worked with over the years have had varying numbers of Global Admins ranging from 1 – 25. Some do use Privilege Identity Manager (PIM), but more often, its not used.

I’ve had the argument that three admins with the Global Admin role is not enough, I would challenge that, push back, and ask why is three not enough? What is the user doing in Azure AD (Microsoft Entra ID) with the Global Admin role that they cannot do with one of the other Admin Roles?

I’ve seen admins for Azure AD (Microsoft Entra ID) configured in various ways. Some of which are:

The Microsoft recommendation is to have named cloud only admin accounts in Azure AD (Microsoft Entra ID).

So, how are you using admin roles?

Are you using shared/generic accounts for Azure AD (Microsoft Entra ID) admin roles?

If so, why? This is a huge security risk, it creates all sorts of potential issues, multiple users being prompted for MFA, users accessing from multiple locations/devices. Plain and simple, it’s not good security practice. If you are using shared/generic accounts then I would suggest that this needs to be remediated immediately. Account sharing is not good practice for regular user accounts let alone admin roles!

Are your accounts synced from your on-premises Active Directory?

I get why you want to do this; you have the one admin account for both cloud and on-premises, but this is exactly why you shouldn’t do this. If for whatever reason details are leaked/compromised then the attacker will have access to both cloud and on-premises, again not good for security.

Why is using a cloud only account for admin roles good practice?

Using cloud only accounts for Azure AD (Microsoft Entra ID) admin roles will protect the cloud services should an on-premises admin account be compromised and will protect your on-premises infrastructure in the unlikely event of a cloud account being compromised.

Are you using PIM? If not, why?

The most common excuse is “we do not have the licenses for them to use PIM”. Yes, this is an Azure AD (Microsoft Entra ID) P2 feature, but I would argue that the cost of this license is worth more than the cost of the keys to your kingdom being compromised? The admin user does not need a full-blown Microsoft 365 E5 license.

Another thing that can also be used in conjunction with PIM is Access Reviews and Access Packages. So rather than explicitly giving the user the ability to elevate themselves to the Admin Role, provide them with the option to join a group which will provide them the ability to elevate themselves to the Admin Role. This way you can then apply Access Reviews to the users and provide tighter stricter measures when dealing with the Admin Roles.

How do you control access to these accounts?

Of course, these accounts should have MFA enabled. But do you lock the access down to Privileged Access Workstations (PAWs)? Allow from only specific locations or something else?

Could you use a hand with this?

If this is all becoming a bit troublesome or confusing within your organisation, reach out and one of Quorum’s consultants can give you a hand. We’ve been building security into all of our solutions for 25 years and we’ve seen it all; the good the bad, and the downright ugly. We also happen to be experts in designing and delivering highly secure and resilient identity solutions.

Contact us today to learn more about how we can secure your business.

Or if you’d just like a bit more information on the Microsoft best practice for Azure AD roles, you can have a look here:

Best practices for Azure AD roles – Microsoft Entra | Microsoft Learn

Articles

CONTACT INFO

Quorum Network Resources Ltd

18 Greenside Lane Edinburgh

UK EH1 3AH

Phone: +44 131 652 3954

Email: marketing@quorum.co.uk