We're currently working with a Managed Service Provider (MSP) that takes care of various aspects of our IT infrastructure, including firewalls, Azure VM environments, M365 licensing, and more. As the person responsible for our IT, I've been tightening our security practices, including the implementation of Conditional Access policies. Recently, I enforced a policy that requires the use of FIDO2 keys for anyone accessing M365 admin centers, which inadvertently locked the MSP out of our tenant.
This leads me to my question: what level of access should our MSP actually require? Do they need their own account in our M365 tenant, or can they access it through their own systems? Should they hold a Global Admin account? Should our MFA policy exempt them or should they adapt to the authentication requirements we have in place? Additionally, I believe it's crucial that different staff members of the MSP don't share a single account for tracking accountability. With the zero-trust model in mind, considering we're mandating strict controls for internal users, it seems like our MSP could pose a risk to our security. What's a responsible MSP's access level for providing necessary support without compromising security?
5 Answers
How are they accessing your tenant right now? If you’ve given them GDAP rights, they might not even need a direct account on your tenant. As for your CA policies, make sure they still have access without compromising security. Just remember, they now have to use MFA when managing your tenant to meet compliance as a partner.
They should have enough permissions to fulfill their responsibilities but nothing more. You dictate what level of access they need based on your contract. If they’re working on specific tasks, tailor access accordingly.
Clear communication with your MSP is key. They should not be using a shared account, and their office shouldn’t be marked as a trusted location. Establish strong protocols, so everyone knows their responsibilities and you can track changes effectively if issues arise.
The right level of access really depends on what support they’re offering. If they need ongoing access, they should get roles that fit their tasks. You might not need them as Global Admin, but you should definitely use Privileged Identity Management for temporary access when needed.
I recommend reviewing your access practices. If they currently have a Global Admin account that multiple people share, that's not ideal. It risk losing accountability and exposes your environment to issues. Instead, think about implementing accounts for each staff member and controlling access through conditional policies.
Totally agree; having multiple users on a single account doesn’t seem right and could cause issues down the road.
Exactly, I think I need to reassess their access model to ensure it aligns with best practices.