The simple action is enabling Multifactor Authentication.
Last month I emailed our clients about the risk of Business Email Compromise on your Global Admin accounts, but in reality, it can happen to any account.
Many services offer Two-Factor Authentication, and there is a website dedicated to the ongoing list: 2FA Directory (United States).
While you should enable MFA for all your Line of Business Applications, the purpose of this blogpost is to focus on your Microsoft 365 Environment.
Two reports should be reviewed when discussing MFA.
Actions you should take
If you see someone that has a level of rights they should not, please notify your MSP immediately so they can either lower their level of rights to what is more appropriate or remove them entirely based on what you deem necessary. Don’t have a MSP? Contact us today so we can help secure your network.
The second report…
This is the primary email address on the account. This is the way Microsoft identifies accounts.
An account with #EXT# in the UserPrincipalName is a “Guest Account” for when content is shared with someone outside your organization.
Actions you should take
If you feel that permissions should be rescinded for a guest account you see in the list, please notify us immediately via support@ccpteam.com so we can remove the guest account from your tenant.
BlockCredential –
When someone leaves the organization, their sign-in must be blocked. If this value is set to FALSE, the user is allowed to sign in normally. If this Value is set to TRUE, the user will not be allowed to sign in to the account.
Actions you should take
If you see someone who set to FALSE and has left the organization please notify us immediately via support@ccpteam.com so we block sign in on the account. Please take the necessary action to add this step to your organizations offboarding process if it is not there already.
User Education
An account can be converted from a regular licensed user account to a Shared Mailbox which frees up the license and allows access to the contents of the mailbox by others, e.g. Supervisor or HR Manager
Microsoft 365 has two types of accounts Licensed and Unlicensed.
TRUE means that a license has been applied to the account. This may be a 365 Mailbox License, or it may be an Office 365 Business Apps license.
Please let us know if you need this more detailed report, and we will get it for you.
FALSE is an account without a license applied to it.
Note: you will see Shared Mailboxes and Microsoft 365 Groups listed here as Unlicensed since Shared Mailboxes and 365 Groups do not require a license.
Disabled This is the default state for a new user not enrolled in multi-factor authentication.
Enabled The user has been enrolled in multi-factor authentication, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.
Enforced The user may or may not have completed registration. If they have completed the registration process then they are using multi-factor authentication. Otherwise, the user will be prompted to completer the process at next sign-in.
Note: While this data point may not be clear, I have added more in the next column to determine if they have registered:
This is the Primary Method used to Authenticate in to your account. Definitions of Each Type are available in Appendix B. To change your Default Sign in Method visit https://mysignins.microsoft.com/security-info
If this column has a datapoint in it, then MFA has been registered.
To register for Two Factor Authentication, visit aka.ms/mfasetup. We have attached (MFA.docx) instructions to help you through the process. We are also here if you need help.
For reference, Appendix A
|
Global Administrator |
Has Unlimited access to all management and functions |
Who should be assigned this role? Assign the Global Administrator role to users who need global access to most management features and data across Microsoft online services. Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global Administrators. |
|
User Administrator |
Resets user passwords, creates and Manages users and groups, including filters, manages service requests, and monitors service health. |
Who should be assigned this role? Users who need to do the following actions:
Users who need to do the following actions for non-admin users and users assigned to the Directory reader, Guest inviter, Helpdesk admin, Message Center reader, or Reports reader roles:
Important: User Administrators can change passwords for people who might have access to sensitive, private, or critical information. Changing the password of a user provides the potential to assume that user’s identity and permissions. |
|
Helpdesk Administrator |
Resets passwords and re-authenticates for non-admins |
Who should be assigned this role? Assign the Helpdesk Administrator role to users who need to do the following actions only for non-admin users and users assigned the Directory Reader, Guest Inviter, Helpdesk Admin, Message Center Reader, or Reports Reader roles:
Important: Helpdesk admins can change passwords for people who might have access to sensitive, private, or critical information. Changing the password of a user provides the potential to assume that user’s identity and permissions.
|
|
Service Support Administrator |
Creates service requests for Azure, Microsoft 365, and Microsoft 365 services, and monitors service health. |
Who should be assigned this role? Assign the Service Support Administrator role as an additional role to admins or users whose role doesn’t include the following, but still need to do the following:
|
|
Billing Administrator |
Makes purchases, manages subscriptions, manages service requests, and monitors service health. |
Who should be assigned this role? Assign the Billing Administrator role to users who need to do the following:
|
|
Exchange Administrator |
Full access to Exchange Online, creates and manages groups, manages service requests, and monitors service health. |
Who should be assigned this role? Assign the Exchange Administrator role to users who need to do the following:
Note: This role doesn’t give permission for Identity Protection Center or Privileged Identity Management.
|
|
SharePoint Administrator |
Full access to SharePoint Online, manages Microsoft 365 groups, manages service requests, and monitors service health. |
Who should be assigned this role? Assign the SharePoint Administrator role to users who need to do the following:
|
|
Skype for Business Administrator |
Full access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health. |
Who should be assigned this role? Assign the Skype for Business Administrator role to users who need to do the following:
|
|
Intune Administrator |
Full access to Intune, manages users and devices to associate policies, creates and manages groups. |
Who should be assigned this role? Assign the Intune Administrator role to users who need to do the following:
|
|
Dynamics 365 Administrator |
Full access to Microsoft Dynamics 365 Online, manages service requests, monitors service health. |
Who should be assigned this role? Assign the Dynamics 365 Administrator role to users who need to do the following:
|
|
Power BI Administrator |
Full access to Power BI management tasks, manages service requests, and monitors service health. |
Who should be assigned this role? Assign the Power BI Administrator role to users who need to do the following:
|
|
Desktop Analytics Administrator |
Can access and manage Desktop management tools and services. |
Who should be assigned this role? Can access and manage Desktop management tools and services.
|
|
Cloud Device Administrator |
Enables, disables, and deletes devices and can read Windows 10 BitLocker keys.
|
Who should be assigned this role? Assign the Cloud Device Administrator role to users who need to do the following:
|
|
Teams Communication Administrator |
Assigns telephone numbers, creates and manages voice and meeting policies, and reads call analytics. |
Who should be assigned this role? Assign the Teams Communication Administrator role to users who need to do the following:
|
|
Teams Communication Support Specialist |
Reads user call details only for a specific user to troubleshoot communication issues. |
Who should be assigned this role? Assign the Teams Communication Support Specialist role to users who need to do the following:
|
|
Teams Administrator |
Full access to Teams & Skype admin center, manages Microsoft 365 groups and service requests, and monitors service health. |
Who should be assigned this role? Assign the Teams Administrator role to users who need to do the following:
|
|
Insights Administrator |
Full access to the Microsoft 365 Insights application, reads Azure AD properties, monitors service health, and manages service requests. |
Who should be assigned this role? Assign the Insights Administrator role to users who need to do the following:
|
|
Kaizala Administrator |
Full access to all Kaizala management features and data, manages service requests. |
Who should be assigned this role? Assign the Kaizala Administrator role to users who need to do the following:
|
|
Global Reader |
Can view all administrative features and settings in all admin centers. |
Who should be assigned this role? Assign the Global Reader role to users who need to do the following:
|
|
Search Administrator |
Full access to Microsoft Search, assigns the Search Administrator and Search Editor roles, manages editorial content, monitors service health, and creates service requests. |
Who should be assigned this role? Assign the Search Administrator role to users who need to do the following:
|
|
Search Editor |
Can only create, edit, and delete content for Microsoft Search, like bookmarks, Q&A, and locations. |
Who should be assigned this role? Users in this role can create, manage, and delete content for Microsoft Search in the Microsoft 365 admin center, including bookmarks, Q&As, and locations.
|
|
Printer Administrator |
Manages network printers and connectors, configures printer access and preferences, manages print status and queues, and accepts admin consent permissions. |
Who should be assigned this role? Assign the Printer Administrator role to users who need to do the following:
|
|
Printer Technician |
Can register and unregister printers and update printer status. |
Who should be assigned this role? Assign the Printer Technician role to users who need to do the following:
|
|
Authentication Policy Administrator |
Configures the authentication methods policy, organization-wide MFA settings, and password protection policies. |
Who should be assigned this role? Assign the Authentication Policy Administrator role to users who need to do the following tasks:
|
|
Groups Administrator |
Creates and manages groups, including group naming and expiration policies, views activity and audit reports, monitors service health. |
Who should be assigned this role? Assign the Groups Administrator role to users who need to do the following:
|
Thinker and Head Idea Guy. Technologist. I enjoy efficiency and process improvement, and I love making things better. I have been in a "Support" role for most of my career because I love when people throw "problems" at me to solve. These days I like being more Strategic than Tactical. Don't get me wrong, I can be Tactical, and I can handle things in a Crisis, but I prefer to use my powers for "let's not get IN THIS situation in the first place" instead of "how do we get out of this situation we dug ourselves in to."
