Suffering from TMA (Too Much Admin)?

Posted on by Gregory Altman

What is TMA? Too Much Administration, or more accurately, too much admin access. Particularly in cloud accounts like Microsoft 365, Azure, AWS, etc.

Personal computer

On your local computer, the solution is pretty straightforward. Just create a Local Administrator account that doesn’t have an email account and use “Run As Administrator” to do system tasks.  It can be that simple. Of course, things get more complicated in larger organizations with dedicated IT support staff. That’s a post for another day.

For today, we’ll focus on the small/medium business folks.

Small/Medium Business Admin

The steps for the local admin issue are pretty much the same. However, I advise against sharing the administrator passwords with everyone in the company. Assign one person to be “Keymaster,” at least. This ensures that two sets of eyes are on whatever is asking for administrator permissions.

Microsoft 365 Admin

What is more concerning and dangerous is if you happen to have a Microsoft 365 tenant. Perhaps you have a small/medium business and want to use cool things like email, Teams, OneDrive, etc. Awesome! Go for it!

However, the default path for setting up a new M365 tenant automatically makes the first user (that’s you) the Global Administrator. That means the same account that can add/remove users and services is the same one you use to check email and surf the web. This is what, in the IT world, we call a “Bad Idea”. Here’s how you fix it, and the best part is it’s FREE.

Adding a Global Administrator

  1. Log into https://admin.microsoft.com/#/homepage
  2. On the left-hand menu, click Users, then Active Users
  3. In the center pane, click Add a user
  4. Assign a username that does NOT contain “hints” like Admin, Control, BOSS, etc. It’s better to assign a random name that won’t draw attention. That also means no TV/Movie names if they are memorable. For example, “Tony Stark” is not a good choice. If you can’t think of one, try a name generator, but keep it short and easy to spell.
  5. Uncheck the “Automatically create a password” and “Require the user to change password” boxes.
  6. Create a strong password. The password should be a phrase or acronym at least 15 characters long, containing upper- and lowercase letters, numbers, and at least one special character. STORE THIS PASSWORD SOMEWHERE SAFE.
  7. Click next
  8. Select “Create user without product licenses” and click next
  9. Expand the Roles field and grant Global Administrator and Billing Administrator access.
  10. Expand the Profile Info area and add your mobile phone #
  11. Click Next, then “Finish Adding” and Close
  12. This returns you to the Users list. Refresh to show the new account.
  13. Click on the new account and scroll down to click on the Manage multifactor authentication link.
  14. You will be prompted to log into Entra online using your existing admin credentials.
  15. Select the new user, click the Enable MFA link, and refresh your browser to verify the user was created.
  16. Open an InPrivate/Incognito browser and proceed to portal.microsoft.com
  17. Log in with the new admin account. You are prompted to set up MFA.
  18. First, you are guided through setting up the Microsoft Authenticator app on a mobile device. Follow the prompts.
  19. Next, you are asked to set up a phone as a secondary means of authentication in case you are unable to access the app for any reason. In the past, I have had issues with the “Receive a code” option, so I recommend using the “call me” method. An automated service calls your phone and asks you to press # to continue logging in. It takes 10 seconds, tops.
  20. Next, you’ll be prompted for an App Password. This won’t be used, but make it something noticeable, like “AdminLogin.” This takes you to the screen where the app password is displayed. I recommend copying it to a safe location if it becomes useful later.
  21. Click Done.
  22. This takes you to the default M365 page, which has all the “getting started tips” that you can ignore. Banners at the top will warn you that you do not have any license assigned, but that’s okay; you won’t need them for this account.
  23. Log out and close all browser windows.
  24. This will give the new admin account access to all admin functions in M365.
  25. To give this admin the ability to add/modify subscriptions in Azure, log in to the Azure portal https://portal.azure.com/#home with your new Admin account
  26. Search for Tenant Properties in the search bar.
  27. On the Tenant Properties page, scroll down to “Access management for Azure resources” and click YES. Click Save.
  28. Log in to the admin portal as your new admin and REMOVE the Global Admin role from your daily account- (you@yourcompany.com)
  29. Recommendations—Repeat these steps to create a SECONDARY Global Admin account in case something bad happens to the first (you lose the password, it gets compromised, etc.)

Why it matters

So what’s the big deal about having your main account as the Administrator? Think about this scenario: In the normal course of your day, you open emails and go to a variety of websites. What if one of those emails is a phishing email that prompts you to log into M365? Now they have your login information. For the non-admin, this is bad for reasons I’m sure you’ve heard. Read your email, send an email as you, etc.

But what if the Bad Guy also now has full admin access to your whole company? They can create a new account for themselves and do all sorts of nasty things. Send spam/phishing email, host malware, pornography and the list goes on. Including locking you out of Admin features!

You can prevent most of the “Bad Things” in about 20 minutes of work by following these simple steps.

Category: Cloud, Security