I'm curious about the need for Global Administrators to log in locally on Windows Servers, particularly when managing elements like Exchange Server, Entra Connect, Entra App Proxy, Global Secure Access, and Entra Password Protection. We're thinking about having these admins always sign in from compliant devices using Microsoft Authenticator passkeys over Bluetooth. This setup should work for workstations, but what if server admins need to perform tasks from a virtual server? Are there specific tasks that absolutely require Global Admin permissions to be run from an on-premises server? Is there a possibility of using the Hybrid Identity Administrator role for all tasks instead?
4 Answers
It's a tricky situation, especially with logging in from private browsers. This could prevent account recovery via breakglass accounts, so those should be exempt. Personally, I've never set it up, but while it's feasible, it can get complicated.
Passkeys can actually work over RDP. Admins can use RDP to access the VM and log in with their passkey, just like any other method.
But remember, they won't be able to RDP directly from their local PC. They would need to go through a non-Microsoft RDP gateway or connect via the VM console.
I believe they should keep the roles separate. If you have a management server for handling Azure and Office 365, it makes sense. However, Global Admin logins should be rare, not something done daily.
One clear use case is with the Entra Connect server, as it requires authentication for making certain changes.
I thought that didn't need a Global Admin. Can you run all needed Entra Connect tasks from the local server without using that role?
Good question! Are there tasks specific to Entra Connect that must be handled directly on the server and can’t be done through the Hybrid Identity Administrator?
True, but I wonder if there are any workflows that need Global Admin access while logged into a server. I'm looking for specific cases mentioned by Microsoft that make this necessary.