Working Global Admin Account

Richard Berry 361 Reputation points
2023-02-28T22:44:34.9233333+00:00

I have 3 Global Admin accounts in my tenant a) Account 1 in my working tenant and b) Accounts 2 & 3 in my onmicrosoft.com tenant which are Emergency Breaking Glass accounts and as stated on the label NOT used unless there is an emergency

  • I am setting up a conditional access policy that requires MFA for ALL Users on the Include side of the assignment and on the excluded side of the assignment are the Emergency Breaking Glass Accounts Account 2 & 3 (so as to not lock myself out of the tenant).
  • Simple Question - Account 1, do I exclude it from the policy or not? What is best practice, as it is my main working Global Admin Account, do I apply the policy and get the extra protection or do I exclude it from the policy?

Many thanks.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,505 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,357 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 21,966 Reputation points Microsoft Vendor
    2023-03-01T02:00:28.8333333+00:00

    @Richard Berry, Thanks for posting in Q&A.

    Based as i know, Global Admins have almost unlimited access to your organization's settings and most of its data. Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. Here is a link with more details:

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

    On my point of view, if the global account Account 1 is used by one person, you can enable MFA to secure it. If it is shared by many people. maybe you can exclude it from the conditional access policy which require MFA.

    As this belongs to Azure AD, to help you get professional support, I have added "Azure Active Directory" tag for you.

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.