It should come as no surprise that a privileged access account in the wrong hands could wreak havoc in your Microsoft 365 tenant, yet all too often I see them granted unnecessarily and often protected exclusively by hope and prayer. This not only puts tenants at unnecessary risk but more importantly, it keeps me up at night. I realised if I were to detail every rule that should be followed (of which there are about 30) it would be a rather lengthy and cumbersome read. Therefore, in this post, I will outline what I regard as the top 4 non-negotiable rules that you should follow to protect and govern your privileged accounts in Microsoft 365.
Rule #1: Use Isolated Identities
I put this one at the very top of my list because it is excruciatingly common. Make sure you use separate, isolated accounts for all privileged access. It really is that simple. Your administrators should not be using their privileged accounts for day-to-day activities such as email and chat. Using highly privileged accounts for everyday activities puts you at risk of targeted attacks, e.g. spear-phishing or BEC.
Using isolated identities is not only easy and low cost to implement but actually makes governance of privileged accounts much easier. It also allows you to increase the security controls on these accounts without negatively impacting the day-to-day activities of your administrators.
Even for my blog, I have two accounts; one for publishing posts and one for general administration. This means that if the account I use publicly to write posts were to be compromised (and I get several attempts a week), the worst thing they could do is delete my posts which I would simply restore using my admin account.
Rule #2: Enforce MFA
For the love of all that is holy in the world, please enforce MFA to protect all of your privileged accounts. There is little more I can say on the matter. I know you know you should be doing it and there is no reason to not do it. I’ll make it nice and easy for you and give you the link to the guide on how to do this:
Require MFA for administrators – AAD | Microsoft Docs
If you are worried about negatively impacting the day-to-day experience for your administrators, Rule #1 has got you covered.
Rule #3: Use Just-In-Time Access
In the Microsoft 365 world, this comes in the shape of Privileged Identity Management (PIM) which, in my humble opinion, is a must-have tool. I know what you’re going to say, and yes it does require a Premium P2 license. Despite that, I have decided to include this as one of my non-negotiable rules. Assuming you already have Premium P1 (to conditionally enforce your MFA as per Rule #2) Premium P2 will only set you back about £2 extra per user/month. To keep the cost down, you need only license your privileged accounts – of which you only have a handful, don’t you?! In fact, this additional cost will be an added incentive to keep tabs on how many privileged accounts you have in your directory.
Rule #4: Regularly Review Your Accounts
We’re in good shape, we’ve got isolated accounts, protected by MFA and PIM. However, as I tell all my customers, there is no better defence than keeping your attack surface as small as possible. In this case, this simply means regularly reviewing your privileged access accounts and reducing their access or deleting the account entirely if it is no longer needed. Even the best hacker in the world will struggle to infiltrate an account that no longer exists.
Thankfully, Microsoft have two really nice tools to help you do this, both of which are features in your shiny new PIM that you implemented back in Rule #3.
Discovery and Insights Dashboard – Link
The Discovery and Insights dashboard easily achieves something that I never quite perfected in PowerShell. It reviews your privileged role assignments and makes recommendations based on best practice. Most notably it will highlight where you have standing access that you could reduce to eligible to help maintain the “Just-in-time” ethos of PIM. While currently in preview, I find this dashboard to be really useful and I suspect there is much more to come in the future for this handy little tool.
Access Reviews – Link
I know you’re already using access reviews for your Microsoft 365 Groups, but did you know you can configure automated Access Reviews of your Privileges Roles too? With Access Reviews, you can set up recurring reviews of selected roles, either making the users review their own role assignments and justify continuation or you can nominate a specific admin to review all role assignments.
In my opinion, this is one of the coolest features to be added to AAD recently and everyone should be making use of it.