Admins can have access to much of customer and employee data and if you require MFA, even if the admin's password gets compromised, the password is useless without the second form of identification. MFA makes users enter a second method of identification to verify they're who they say they are.
It's actually a good idea to require MFA for all of your users, but admins should definitely be required to use MFA to sign in. Require multi-factor authentication for admins For example, if you want someone to reset employee passwords you shouldn't assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. Therefore, we recommend you have at least either one more Global Admin or a Privileged Authentication Admin in the event a Global Admin locks their account.Īssigning the least permissive role means giving admins only the access they need to get the job done. Either another Global Admin or a Privileged Authentication Admin can reset a Global Admin's password. A Global Admin may inadvertently lock their account and require a password reset. We recommend you limit the number of Global Admins as much as possible. Global Admins have almost unlimited access to your organization's settings and most of its data. Security guidelines for assigning rolesīecause admins have access to sensitive data and files, we recommend that you follow these guidelines to keep your organization's data more secure. Looking for the full list of detailed Intune role descriptions you can manage in the Microsoft 365 admin center? Check out Role-based access control (RBAC) with Microsoft Intune.įor more information on assigning roles in the Microsoft 365 admin center, see Assign admin roles. Looking for the full list of detailed Azure AD role descriptions you can manage in the Microsoft 365 admin center? Check out Administrator role permissions in Azure Active Directory. The user's details appear in the right dialog box. Select the person who you want to make an admin.In the left navigation pane, select Users > Active users.Select Admin to go to the Microsoft 365 admin center.If you see the Admin button, then you're an admin. While signed into Microsoft 365, select the app launcher.
0 kommentar(er)
