Essential Microsoft 365 Safety Tip
The worst hacker friendly default.
When your Microsoft 365 (M365) account (Tenant) or Google Workspace is created it comes with the ultimate hacker friendly default at no extra cost. What a deal! The first user created becomes an administrator. Initially this is essential to maintain control of your account in order to add more users, change features and other settings. However, you are never advised or warned that this is dangerous and some changes need to be made.
Why this is an issue.
Account hijacking through either token theft (see my article on Business Email Compromise) or getting scammed through phishing is a common occurrence. Bad enough if it happens to an employee, but potentially catastrophic if you are an admin with multifactor authentication that is not "phishing resistant" because the attacker becomes in complete control of your digital destiny. The attacker can potentially create other admin accounts, steal all of your data, perform a hostile takeover of your account and even delete it entirely. If you don't follow all that, just know that the potential outcome is catastrophic.
How to know if your tenant is susceptible
For M365, the quickest way to audit your tenant is to have someone with an administrator account (this might be you) do the following
Navigate to Microsoft's identity platform Entra ID https://entra.microsoft.com
In the navigation column on the left, click Roles & Admins
In search type "Global Admin"
Select the "Global Administrator" row to see who has those privileges assigned.
Note: if you can do this, you likely have the privilege…
What to do
If you don't have an IT or Security provider – Connect and talk to me, I can help you figure it out.
If you have an IT or Security provider – contact them and ask them to create a separate administrator account and break glass account for you. Here are some references for them if needed:
Protect your Microsoft 365 Privileged Accounts https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide&utm_source=chatgpt.com
Manage Emergency Access Accounts https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access?utm_source=chatgpt.com
If you have decent M365 DIY skills and the desire – read the articles just referenced and use the following as a general guide. If uncertain, get help.
Create a separate administrator account for you with either
No license - which can stay logged in for up to 90 days (not ideal)
Entra ID P1 - which currently costs $7.32 monthly and can use Conditional Access to limit the session length (which should be done)
Create a similar, break glass administrator account (in case of fire "break glass") which will never be used except in emergency. Put the userid and password in a fireproof safe and never use it other than your initial test.
Critical – Test logging into both accounts! If you don't do this step carefully you could permanently lose control of your tenant!
Add MFA to your new admin account. Log out, close the browser and log back in. Your test isn't complete until this is done.
In an "In Private" browser session log into your break glass account to make sure the user ID and password work, but do not add MFA. Close the session and put the printed user name and password in a fireproof, waterproof safe. Don't take it out unless you need it.
From your new administrator account, remove the Global Admin rights from your daily work account.