I’ve noticed a disturbing trend lately. Specifically for Office 365, I’ve seen too many organizations use Global Administrator accounts as their service accounts. This is a bad idea. We should not use Global Administrator accounts as service accounts.
Office 365 is a great platform and likely requires a couple or more accounts to manage the platform. With other applications, we would create generic accounts to run specific services. Service accounts are normal accounts but have exactly the permissions needed to run something very specific. Global administrator accounts can do almost anything, so it’s not a good idea to use these to run specific services. This follows best practices and enhances security by reducing the risk of being compromised. Accounts used to service Office 365 also should not be tied to individual user accounts as a best practice.
Here are some recommended service accounts you could create for Office 365. How many roles or permissions you assign these accounts depend on your organization and resources.
Site Commander – For SharePoint, use this account to administer specific groups or collaboration sites in SharePoint.
Support Officer– This account should only have access to assign licenses, create groups, with ability to change user passwords.
Security Officer – Used for configuring data protection, security alerts, and audit logs.
Compliance Officer– Helps review the audit logs, updates compliance configuration, and participates in eDiscovery.
Automation Officer – Used for running automated processes like workflows or scripts. Granted only the permissions needed and is likely unattended.
Integration Officer – Only for allowing other applications access to Office 365 or its content. Should be created for each different application.