Recent activity on a customer account has forced us to implement security changes on all Office 365 tenant accounts that we manage. If you are using Office 365 services through us, please read this fully. If you are not using Office 365 for your e-mail, you should consider it.
These are changes that we had planned on implementing in the near future, but decided we needed to do them now.
We have always left control of customer Office 365 accounts to the customer, since it is owned by them. We have taken that control away temporarily. In most cases we already manage all aspects of your account, so most users will not notice a difference. We also have just about all the customer subscriptions moved over to us, so you no longer have to deal with payments to Microsoft. Which were managed through the Office 365 portal by account administrators.
We just completed going through all accounts and removing all Admin roles assigned to users. If you are one of the few still paying Microsoft for your subscription(s), we did leave one primary user as admin. Contact us as soon as possible to make that account more secure.
On all accounts we added a single user account that has the “Global Admin” role. This user has no assigned license so it can not be used for e-mail or any other service. The user-created is firstname.lastname@example.org. It has been setup with enforced Multi-Factor Authentication (MFA). This requires a password and then a code is sent via text to my cell phone to access the account. We always have access through our Delegated Admin role, but certain areas we do not have access to, related to Security & Compliance. That is when this Global Admin account is needed by us.
We have also confirmed that audit logging is working on your account, so every login can be tracked if needed.
Microsoft will soon be forcing all users with the Global Admin role to use MFA. It is also highly recommended that all users implement it. I am sure most of you are familiar with it, it has been around in different forms since the beginning of computers. We have always used it for our management services when accessing any customer devices or information. It is the most secure way to keep your accounts away from unauthorized access. If you have any other online accounts, you should check to see if it is an option that just needs to be turned on.
Moving forward, please contact me if you need any user to have admin access to the Office 365 portal. We can also assign different individual admin roles if needed. We will then need to get that user setup with MFA. There are a few different methods that can be selected the first time you login, once it is enabled. Then there are certain apps that it will not work with, so we have to make sure you get the separate “App Password” that is needed to keep using those apps.
We can then also discuss the impact of implementing it for all users. It can be enabled on a per-user basis. Every user should be familiar with accessing their account through the portal. Some staff training will probably be needed. If you have accounts that are shared with different people, it will probably not be an option.
As always, contact support if you need to have users added, removed, or passwords reset in your account.
Owner – Implied Networks, LLC