Hey everyone! I'm curious about the security measures you have in place for your Global Admins. What kind of MFA are you employing? Are you using FIDO keys, regular app-based MFA, or conditional access policies linked to Entra roles that require re-authentication in admin portals?
How have you managed to strike a balance between security and productivity without creating roadblocks in day-to-day operations? For instance, if you've implemented FIDO keys and have set conditional access to use them as the primary authentication for admins, that's great, but it can cause issues with unsupported modules like Azure Storage Explorer and Exchange Online. I'm aware of PS Module 7 working and using the PowerShell module in the Azure portal, but it has its own limitations. Just looking to gather some insights from your experiences!
1 Answer
I use phish-resistant MFA with the Microsoft Authenticator app, which requires manual entry of a code from push notifications. I’ve set up conditional access policies that mandate MFA for admin accounts, reauthentication every 24 hours, and restricted logins to managed, compliant devices only. I also enforce geofenced access, allowing logins only from the US and Canada. Plus, I enforce password changes every 90 days, which keeps things secure for us!
On top of that, depending on your M365 licensing, using MS Defender can work wonders for monitoring. Setting up alerts for any admin-level activities like creating user accounts or resetting passwords can help keep tabs on everything. If you have a SOC, make sure to send them a list of your admin accounts for extra monitoring!
I hear you on most of this, but I’m not on board with the forced password changes. Studies have shown that it can actually reduce security over time, which is why NIST and other authorities, including Microsoft, have moved away from that practice. Just something to think about!
Here’s a link for more info: https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide