Thank you for that. The problem was, that all three of their global admin accounts had their privileges removed at the same time.
We've since managed to get back one of the accounts elevated again, and gone round enforcing MFA. We're currently trying to establish how it happened. As we can't find any evidence of the 'global admin' rights being removed. I didn't initially think about the AzureAD side of things however. Good shout. Thanks, Simon. On Fri, 6 Nov 2020 at 16:27, Jesse Thompson via mailop <mailop@mailop.org> wrote: > It's more about Azure AD, so getting the case routed to that team is > probably best. Typically, you need premier support to get decent > engagement from Microsoft. I'm not sure what kind of process they have to > prove tenant ownership in that situation, but I imagine it's a manual sort > of verification. > > Losing access to the global admin account is not good (I'm presuming it > was compromised). In the future, I'd suggest creating a second global > admin account with a strong unique password and store that in a lockbox > outside of Office 365. If there are multiple people that need global admin > access on a routine basis (although, right-sized admin permissions are > better), then it is ideal to create multiple admin accounts (so you can > audit the source of the compromise), and lecture people not to use a > weak/reused password, enable MFA (which is free for admin accounts), and > never give admin access to someone's account that they use for normal user > activity. > > Jesse > > On 11/5/20 5:47 AM, Simon Burke via mailop wrote: > > Hi, > > > > So this morning one of our customers has had all their O365 admin > accounts stripped of their admin privileges, and various user accounts are > spewing out spam. > > > > Going through normal support channels we're told we're to wait > 2-4business days to speak to anyone at Microsoft (Microsoft first line have > told us this timescale). > > > > Is there anyone who can suggest a contact or anything to move this > forward? > > > > NB. Apparently only global admins can change passwords in this > environment, so although we can use the 'sign out of all devices' option, > we can't change passwords at all currently. > > > > We are the O365 reseller in this instance. > > > > Regards, > > Simon. > > > > > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
