Soldato
Hi,
Have been looking at the following article which mimics what I was doing when I was with Google, essentially to provide admin users with two accounts so that their everyday one is only a standard least privileged one.
However, I also need security groups (presumably email enabled ones) for federating login to Google Cloud Platform. The issue then presents itself that essentially the newly created admin account which is basically a service account is not addable to email enabled security groups. Is the only way to achieve this to purchase Exchange Online (or better) licenses for these type of service accounts? Alternatively, can normal security groups be used instead?
Also, I've been migrating MFA & SSPR to the new system but one thing that struck me odd was it gives the option to have security questions as an option but then also states that admins are always required to use two forms of MFA even without SSPR being enabled. The issue is it hasn't asked me to supply any security questions and answers on the admin accounts. It's now recommending instead that admins supply their telephone number and that was one of the things I was trying to remove. It seems it wants to make my admin accounts less secure than regular user accounts.
Have been looking at the following article which mimics what I was doing when I was with Google, essentially to provide admin users with two accounts so that their everyday one is only a standard least privileged one.
Protect your administrator accounts with Microsoft 365 Business Premium - Microsoft 365 Business Premium
Learn how to set up and protect your administrator accounts in Microsoft 365 Business Premium.
learn.microsoft.com
However, I also need security groups (presumably email enabled ones) for federating login to Google Cloud Platform. The issue then presents itself that essentially the newly created admin account which is basically a service account is not addable to email enabled security groups. Is the only way to achieve this to purchase Exchange Online (or better) licenses for these type of service accounts? Alternatively, can normal security groups be used instead?
Also, I've been migrating MFA & SSPR to the new system but one thing that struck me odd was it gives the option to have security questions as an option but then also states that admins are always required to use two forms of MFA even without SSPR being enabled. The issue is it hasn't asked me to supply any security questions and answers on the admin accounts. It's now recommending instead that admins supply their telephone number and that was one of the things I was trying to remove. It seems it wants to make my admin accounts less secure than regular user accounts.