![]() This won’t affect internal users, since the password policy is enforced by Active Directory. If your on-premises policy is not particularly secure, set the policy to at least 10 characters long, and advise your admin users to use a mixture of capital and lower case letters, numbers and special characters. Note that you can only enforce password age and length, not complexity. Even if your domain is federated via ADFS, the password policy will apply to cloud only admin accounts. ![]() Set the password policy for cloud accounts so that it at least matches your on-premises password policy.These can be used on a day to day basis for admin purposes, and you will have a full audit trail. Create secondary ‘Admin’ accounts for IT staff which are synced AD accounts, don’t assign normal user accounts admin roles.Add an exception for your break glass account. In Azure Active Directory, create a new Conditional Access policy called: Require MFA for Admins (don’t use the baseline one).In case Azure MFA is ever down, enable the account and then you can get back in as an Admin without any MFA. Create a single ‘break glass’ account, which is a synced AD account, no license and a Global Admin.Create a limited number of cloud admin accounts, with MFA enabled.However, the following is a general set of guidelines that can be applied to most deployments, whether they are federated or cloud only. Optimal configuration requires a balance between security, usability, and availability, so all of these need to be considered when planning a strategy. Administering Office 365 requires special consideration in order to ensure that your service is both manageable and secure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |