The ever-increasing number of cyberattacks on business enterprises and other institutions always require great attention to the possible gateways into the IT infrastructure of the respective institutions. Administrator accounts in particular are a popular point of attack because they offer a wide range of possible actions after a successful attack. In this article, we will show you how user roles can be organized as securely as possible and how the "Global Administrator" role should be handled in a Microsoft organization.

A Global Administrator has unlimited control of all products in a tenant, the main account of a Microsoft 365 environment. He can change all settings in a Microsoft environment and thus has far-reaching influence. This role should not be assigned carelessly, as a high number of administrator accounts also increases the chance that one of those accounts will be compromised. For example, Microsoft recommends limiting the number of administrator accounts to two to a maximum of four accounts per tenant.

Nevertheless, we often find the situation that organizations are too generous with administrator roles, either because they are not aware of their scope of action, or because temporary role assignments have not been documented and have therefore been forgotten. To best close security gaps caused by unsupervised administrator rights, every organization should have a role concept.

A role concept works according to the "as much as necessary, as little as possible" principle. It ensures that all employees have sufficient rights to carry out their work without problems and prevents them from having more rights than necessary. This minimizes the risk of damage caused by identity theft to the account's scope of action.

To develop a role concept, it is first necessary to identify which groups of people require which rights. Roles can then be developed for specific groups of people with defined rights. For some groups of people, Microsoft already provides ready-made role templates. For example, there is a predefined SharePoint administrator role for SharePoint administrators. This authorizes the creation and deletion of sites and the administration of site collections as well as global SharePoint settings.

In addition to the rights that people have received via their assigned role, temporary administrator rights can be granted via a separate approval procedure. For this purpose, the so-called Privileged Identity Management (PIM) in Azure Active Directory (AD) is used, although special licenses are required for its setup. This allows a SharePoint administrator, for example, to request access rights for another area, which can be released by a global administrator for a limited period of time. In this way, it can be prevented that accounts are unnecessarily provided with administrator rights, although these are only rarely needed.

With our diverse service portfolio for Microsoft 365 organizations, we are happy to offer you assistance in analyzing your current role structure and support you in developing a role concept. This way, you can considerably limit the damage caused by identity attacks! Please also read our article on multi-factor authentication.