There is no question that IT administrators need a user account to allow them to perform their tasks. Still, there is a question as to whether or not this user account that provides their day-to-day office work should also be used to perform administrative or other elevated privileges. IT administrators who use only one user account for all tasks are exposed to several vulnerabilities. Although far-fetched, there’s evidence of people and organizations falling victim to these exploits at one time or another, e.g., hacking incidents. Dual user Microsoft 365 Accounts come in handy to protect networks, active directories, servers, and other resources. This article discusses some of the most common vulnerabilities of having one user account for all tasks. Then, it proposes possible mitigation measures.
Privileged Identity Management (PIM)
Privileged Identity Management is an Azure Active Directory—Azure AD service that allows you to control, manage and monitor access to your organization’s vital resources. They include resources in Azure, Azure AD, and other Microsoft Online Services such as Microsoft Intune or Microsoft 365. However, whether an organization has or doesn’t have PIM, separating user and administrator accounts is the only way to eliminate any looming security concerns.
How Do Hackers Breach Microsoft 365 Accounts?
The most common is phishing, which is sending fraudulent messages that seem to come from a reputable source. Further, this occurs mostly through email and Teams messages. When using one account for both your administrative responsibilities and your day-to-day work, you’re likely to get a lot of email alerts, and in the attempt to get back to all of them, you may open a phishing email.
The best approach to this is to have a separate administrator account. Since the account doesn’t need a license attached to it, and it doesn’t have a mailbox or Teams, you won’t be receiving emails to that account.
Are Your Employees Cyber Aware?
A large number of cyber-attacks result from phishing emails that an employee mistakenly clicked on. This leaves human error as the leading cause of successful compromises. Cyber awareness training can be a viable prevention tactic, be it internal or external.
How to Increase Your Security Posture for Your Microsoft 365 Accounts
Conditional access is a feature of Azure AD aimed at helping organizations elevate their security and compliance. By operating two separate accounts for personnel with administrative clearance, you can aim for different Conditional Access policies for your administrative accounts. Here’s how it works:
Traditionally, all a user needs to provide to gain access to everything they have permission to access is a username and a password. This makes it equally easy for an attacker who has managed to steal or guess a user’s credentials to access your organization’s network, resulting in data breach headlines or enormous compliance fines. You can upgrade by:
- Always use multi-factor authentication. This prompts the user to supply a code sent to their mobile device, a fingerprint, or some other additional authentication factor. Having multi-factor authentication can be highly effective. Microsoft reported a potential 9% hacker mitigation by simply using MFA.
- Turn off Legacy Authentication. It’s prudent to start implementing these controls before Microsoft disables legacy authentication for Exchange Online starting October 2022.
- Frequently update your administrator passwords. This remains especially important if the account experiences risk.
- Only permit sign-ins from devices that adhere to the compliance policy.
By having separate accounts, you can eliminate the frustrations of constant MFA prompts on regular accounts by configuring strict Conditional Access for your administrator accounts only. The same approach is feasible for other security guidelines, such as the allowed authentication methods and password policies.
Take Advantage of the Cloud Platforms for Microsoft 365 Accounts
The cloud should ideally host administrator accounts. Use Azure Active Directory to achieve this. In case of a security breach, the security advantage of cloud-only accounts over on-premises accounts is that hackers can’t move laterally to cloud administrator accounts as they would so easily do with on-premises networks. Therefore, it is advisable never to synchronize administrator accounts from an on-premises Active Directory infrastructure using Azure AD Connect. It’ll leave your organization at a security disadvantage.
Primary Refresh Token—PRT provides Single Sign-On access from a device to Azure AD. Since PRTs also contain a valid MFA claim, if somebody were to seize your PRT, they’d be able to log into your Azure AD account without requiring a password or MFA.
How Would Anyone Get Hold of Your PRT?
Since PRTs can be found on a device, your PRT gets more vulnerable to extraction every time you log in to your user or administrator account, be it from a mobile phone, internet cafe, a colleague’s computer, etc.
Because of how critical the data available to administrators is, ensure a malicious party cannot obtain the PRT for administrator accounts. This can be achieved using controls such as Credential Guard and Conditional Access.
Having separate user and administrator accounts can be a strong security defense, since obtaining the PRT doesn’t make it easy for a hacker to pivot to administrator portals and compromise your organization.
Learn More About Improving Your Organization’s Security With Microsoft 365 Accounts
Privileged Identity Management may seem like enough security measures to safeguard your administrator accounts. Still, the above points highlight how PIM may fall short when compared to having separate user and administrator accounts. Although managing two accounts may seem tasking, it saves you hassle in the case of a potential attack.
Security in the workplace is a crucial part of management. Therefore, one small oversight could cost the entire organization financially and lead to foreclosure and huge employee layoffs. You can avoid this unfortunate outcome by partnering with a company that understands and can deliver on your security needs. Outsource to Agile IT to secure your user and administrator Microsoft 365 accounts. To learn more about what we offer, contact Agile IT today!