Search
  • Dave Kennedy

Admin Enabled Microsoft 365 Accounts

Updated: Aug 19

Here is my straightforward advice – If you read no further please take note of this:


Separate Microsoft 365 Global Admin permissions from day to day users.


If a user requires Global Admin permissions this should be granted through a second account secured with MFA used only for Admin Tasks and then logged back out.


DO NOT have Global Admin Permissions assigned to a user account used for day to day login and functionality. This is a Security Concern.



How can a compromised Global Admin User Account be used?

  • Change functional and security settings on its own account

  • Create additional user accounts

  • Add Licenses

  • Redirect email flow

  • Access All Data stored within an M365 service directly or grant permissions to it.

  • Run PowerShell commands and scripts against the tenant.

  • It can do anything at all within the Microsoft 365 Tenant up to and including closing it down.


Potential Compromise:

I have not researched how this could be done but while assisting a customer recently I conceived an attack such as the following could be possible.


An account even with MFA enabled could be compromised through an attack instigated with a Social Engineering or Phishing.


If a user that had global admin permissions is tricked into clicking on or running "something" which would run a PowerShell script to disable MFA for the user itself or something similar it make access easier for a nefarious party to then gain further access or functionality to the Microsoft 365 tenant.






12 views0 comments