Search
  • Tom Coleman

Securing Office 365 Admin Account

I was listening to this Black Hills Information Security podcast yesterday, this is an excellent resource if you want to get into the technical aspects of information security. The team were talking about securing cloud services, like Office 365 and G Suite (Google apps for work) and how they would pay for an extra licence to ensure that their Admin accounts were not used for days to day work. This is great advice and, if followed, will make you compliant with Cyber Essentials question 47.


It is not necessary to pay for an extra licence in Office 365. You can set up an unlicensed account and make it the global administrator. Use your licenced account for day to day work and when you need to act as an administrator, log in with the unlicensed account.


I am afraid it has been a while since I managed G Suite which is what BHIS use so I cannot say whether it is possible to do this if you are with them. If you do have a way of doing this with G Suite, please feel free to comment.


It may be that this is somewhat confusing, so I thought it would be useful if I documented how I set up an account without a licence to administrate my Office 365. The steps are set out below in case anyone wants to do this prior to doing their Cyber Essentials certification.


Step one. Log in to your Office 365 Admin Portal and select add user:



Step two. Generate a username. I have used my password manager to generate a random username. Nobody will email this account (it won’t have a licence) and I want it to be impossible to guess.



Step three. Using a password manager generate a password using the maximum 16 characters, uncheck the change password on first use box and assign Global Admin Rights:



Step four. Now select create the user without a product licence, ignore dire warning and click add:



Step five. Now make sure you can log in with your new user and set up the two factor authentication for the account*.

Step six. Make your account a normal user:



Hope this helps


Tom


*You do use two factor authentication don’t you?