Dave Kennedy
Admin Enabled Microsoft 365 Accounts
Updated: Aug 19, 2022
Here is my straightforward advice – If you read no further please take note of this:
Separate Microsoft 365 Global Admin permissions from day to day users.
If a user requires Global Admin permissions this should be granted through a second account secured with MFA used only for Admin Tasks and then logged back out.
DO NOT have Global Admin Permissions assigned to a user account used for day to day login and functionality. This is a Security Concern.
How can a compromised Global Admin User Account be used?
Change functional and security settings on its own account
Create additional user accounts
Add Licenses
Redirect email flow
Access All Data stored within an M365 service directly or grant permissions to it.
Run PowerShell commands and scripts against the tenant.
It can do anything at all within the Microsoft 365 Tenant up to and including closing it down.
Potential Compromise:
I have not researched how this could be done but while assisting a customer recently I conceived an attack such as the following could be possible.
An account even with MFA enabled could be compromised through an attack instigated with a Social Engineering or Phishing.
If a user that had global admin permissions is tricked into clicking on or running "something" which would run a PowerShell script to disable MFA for the user itself or something similar it make access easier for a nefarious party to then gain further access or functionality to the Microsoft 365 tenant.
