As an O365/M365 Administrator you can occasionally make a mistake. It may not seem apparent but later down the line it can cause you problems. Or maybe there is a setting within the Microsoft environment that is enabled / disabled by default that should be changed, you just need to know about it. Whether it is either of these situations knowing the 5 Things you should not do with M365 Admin will help you out in the long run.
Do Not Use the Global Admin Account
Don’t make every user who performs some form of Admin in your tenant a Global Administrator. There are several types of Admins and using the principle of least privilege you only need to give enough access required for the user to perform their job.
Not Having a Backup Admin Account With no MFA
In the unfortunate incident of your Global Administrator account being compromised it is good to have a backup Administrator account. If you do not it will take Microsoft a long time to get your access to your Tenant again. This way you can get back in and disable the Global Admin account and mitigate any damaged that might have been caused. Do this by creating another Global Administrator Account. Do not call it Admin!! Call it something else. Make the password long and complicated and DO NOT enable MFA. Doing so would just complicate things. Store the information for this account offline (like in a safe). The technical term for this type of an account is a “break glass account”.
Having a Second Domain With no DNS TXT Record
So, you decide to add a second domain to your tenant. Great. To do so you need to add a DNS TXT record to your Domain registration records to prove you own this domain through the add domain wizard in the Admin portal. You are successful. You may be tempted to delete the domain TXT record afterwards but DON’T. If you do you have set your self up for a possible DNS Poisoning attack. Leave it.
Not Understanding Shared Mailbox Behavior
This falls under a mistake that is not apparent until later. Creating a shared mailbox is easy. You go under the shared mail tab in O365 Admin and create a shared mailbox. Then you add users to the mailbox. If you want to be more granular you can also administer it through the Exchange Admin Center in your portal. The problem exists when you take a standard mailbox (single user) and convert it to shared. This is usually done when a user leaves the organization and other users need to access their mail. You may be doing a user audit some months later and decide that this user can be deleted.
If you forget that this user is a shared mailbox, and the delegates still need access to it they will lose the mailbox!! A better way to do this is block the defunct user account sign in. You can also report on blocked users and see which ones have a shared mailbox. Find out who the delegates are and see if the still need access. If they don’t, you can at least delete the account safe in the knowledge you won’t be cutting of anyone’s mailbox access.
Not Understanding Guest User Access
Giving users guest access to your organization I fine but O365 has guest access setup by default:
This is a most inclusive / least restrictive access for guest in your tenant. You may not want this type of access granted to your guests. Adjust to whatever makes yur organization compfortable.
Making sure the 5 Things you should not do with M365 Admin are addressed will ensure that your have not only security hardened your environment, you will have spared yourself some unexpected surprises along the way!
Happy IT’ing
Dan