This article applies to customers that joined CoreView before May 2022. All new activations use our Secure By Default configuration, where Global Admin role is not required anymore.
This article will cover how to remove the global admin role from the CoreView admin account.
CoreView creates an administrative account in our customers’ Microsoft 365 accounts to act as the user that performs management activities within Microsoft. In other words, an operator will trigger a management action such as editing a user within CoreView, but the CoreView administrative account is the one that will perform the action within Microsoft. Historically, CoreView has required that this account be a Global Administrator to ensure it can perform any actions that might be needed.
Given changes in security best practices, CoreView recognizes that dependence on a Global Administrative account can create undue risk. In our new Secure by default configuration, following roles are assigned to CoreView Admin account automatically:
- Global Reader
- Exchange Administrator
- Teams’ Administrator
- User Administrator
- Authentication Administrator
- SharePoint Administrator
The following roles should be added manually:
- Privileged Authentication Administrator
- Privileged Role Administrator
Without the Global Administrative privileges, the CoreView product will have the following limitations:
- Cannot disable or delete a user with any Admin Role
- Cannot edit the Password of a user with any Admin Role
How to change permissions for existing admin accounts
For any existing CoreView customers, no changes will apply to your existing environment. If you would like to remove the Global Administrative role from your CoreView administrative account, you can perform the following steps.
Please close your advanced management session (if opened) and then you can assign the following permissions from section “Manage admin roles” of your Company Administrator user’s card from Microsoft 365 Admin Center:
Please be sure to remove Global Administrator role from your list and assign the missing ones from the “Show all by category” section:
Click on the “Save Changes” blue button after you modified the permission assigned.
Password Rotation
Password rotation is achieved by adding the following Identity roles to the “4ward365” user and the following roles must be added:
- Privileged Authentication Administrator
- Privileged Role Administrator
We have two rotation strategies in place:
For Advanced User Management
Password is automatically changed every 7 days and saved in CoreView Azure Key Vault - this is the password associated with the account named:
4ward365.admin@yourdomain.onmicrosoft.com For Service Account
Such as
coreview.reportsXY@yourdomain.onmicrosoft.compassword is not changed but using a long and complex pattern. The encryption key is rotated once per month and saved in CoreView Azure KeyVault.
Re-enabling Global Admin privileges
If you want the CoreView application to be able to disable and manage passwords for Global Admins, you can add the Global Administrator role to the “company administrator” user.