As a Microsoft Gold Partner, we work with clients in helping them take full advantage of all the features and benefits of Microsoft 365. But before we can do anything, we need to have access to the system.
One of the biggest delays we see in getting started on a client project is related to system access. We do our very best to clearly explain what level of access is needed and why our team requires elevated access when we start working on a project. Without global administrator access, we may not be able to do the job we were hired to do.
Some clients have strict policies related to providing access to external parties. While we do our best to reassure potential clients that we have a capable team and have experience working with clients that are managing sensitive or confidential information, some are slow to give our team of consultants the access they require.
We believe that clients should feel comfortable in giving our team global admin access, which is required to access management features and data across Microsoft’s online services. We believe that our experience and track-record for successful delivery is why clients choose us. We hope that we can instill confidence and trust in our team, and it will be an easy call for your IT department to grant us global admin access.
Alternatively, there are a few things that a client can do if they are concerned about providing a partner/vendor with full access to the system.
A client may choose to only offer access to the exact APIs necessary. This is a practical way of restricting a vendor to specific features or apps of Microsoft 365, but this may not be the best solution when you are working with a vendor that is helping your organization deploy a variety of features and/or applications in Microsoft 365 (Teams,SharePoint, etc.). The downside of offering limited access to the system, is that there may be situations in which we are unable to proceed based on not having the right permissions. In our experience, we have found that more often than not, we will need to log in as a Microsoft 365 Global Admin in order to deliver the services that we offer.
If your organization needs to track what our team is doing within the tenant, you can turn on all available auditing. You can look at audit logs and ask for clarification if required. It is important to mention that audit logs can be deleted at any time (by global admins), but you can always reinforce the need to understand what changes are being made within the tenant.
The most important takeaway here is this.
Hire a partner that you trust.
You are giving this partner access to critical systems, so it is important that you have selected a vendor that has demonstrated knowledge, references, and a track record for working with sensitive information. Kiefer is that team.
Global Administrator Access Best Practices
Keeping your global administrator accounts secure is critical. Here are some recommended best practices to ensure access to a global administrator accounts in restricted to authorized users.
Multi-factor authentication (MFA) requires additional information beyond the account name and password. Microsoft 365 supports these additional verification methods:
- The Microsoft Authenticator app
- A phone call
- A randomly generated verification code sent through a text message
- A smart card (virtual or physical)
- A biometric device
Azure AD Privileged Identity Management
Organizations can use Azure AD Privileged Identity Management (PIM) to enable on-demand, just-in-time assignment of the global administrator role when it is needed.
While it is rare that a client will choose not to give us access, we do have to occasionally explain why it is so important. We also have to help clients understand how much work it might be for the client global admin to work as an agent. And, the sooner we get access, the sooner we can start work on your project!