The first step in securing Microsoft 365 and Entra ID

Know your admin accounts

In CloudWay we work with some of the most complex scenarios in Entra and Intune, but what gets most companies in trouble is the simple mistakes. Here we present the most basic mistake you can do and how to avoid it.

Working with Microsoft 365 you need Global Administrator-access or other privileged roles for a variety of operations. Over time this usually ends up with too many people having too much access, and you might not even know who has these permissions.

Why is this a problem? Consequences of individual mistakes can be severe in such environments, but the main problem is of course if such an account is compromised. Then your company might very well be on fire.

The solution is as simple as the problem – make sure you know which users has privileged roles in you Microsoft 365 environment, and then make sure users only have the privileges they actually need.

You can find this information in several similar ways, for example both in the Microsoft Entra admin center and the Microsoft 365 admin center. This example shows how to solve this by navigating to entra.microsoft.com:

In the left menu you expand the “Roles & admins” menu (you might have to hit “Show more” at the bottom of the left menu first), and then select the sub-menu-item “Roles & admins”. Getting all you assigned roles is now as easy as clicking the “Download assignments”-button and start download.

To caveats:

  • The export is in .csv format, so it’s not actually human readable until you have imported it properly in Excel.
  • If the setting “Restrict access to Microsoft Entra administration portal” is enabled, you need to elevate to be able to do this.

All this is quite easy, but if you want even simpler, there is one tool that will simplify this task even further – even remediating the two caveats I mentioned above: Proactive Security Monitoring. Contact us if you would like to know more!

Have you been reading all the way here, but prefer PowerShell? Getting the administrative roles for all users is easiest done with a PowerShell script, while retrieving roles for a single user is as simple as running the PowerShell commands below:

Connect-MgGraph

Get-MgUserMemberOf -UserId <UserPrincipalName> | select -ExpandProperty AdditionalProperties |?{$_.’@odata.type’ -eq ‘#microsoft.graph.directoryRole’}

Recent Services Blogs
Recent News
Recent Blogs
Scroll to Top