The most dangerous accounts in your organisation are the ones with the most power.
Every cyber security breach has a moment of escalation. The point where an attacker moves from having a foothold to having control. In almost every case, that moment involves administrative access. A compromised admin account does not just give an attacker access to one mailbox or one file share. It gives them the ability to create new accounts, disable security controls, exfiltrate data at scale, and cover their tracks. It is the difference between a contained incident and a catastrophic one.
For small and medium-sized businesses, the challenge is real. You need people to be able to manage your IT environment. You need someone who can reset passwords, configure services, and troubleshoot problems. But the way most SMEs handle administrative access creates risk that is entirely disproportionate to the operational need. The managing director with Global Admin rights they have never used. The IT support person whose everyday account is also the domain admin. The former contractor whose privileged access was never revoked. These are not hypothetical scenarios. They are the norm.
This guide is a practical framework for getting admin access right. Not in the theoretical, enterprise-grade, hundred-page-policy sense, but in the way that actually matters for a business with ten to two hundred employees running Microsoft 365. The principles are universal. The implementation is specific, actionable, and designed for organisations that do not have a dedicated security team.
The principle of least privilege
Least privilege is the foundational concept behind every recommendation in this guide. It is not a product, a feature, or a configuration setting. It is a design philosophy that should inform every decision about who can do what within your IT environment. The idea is deceptively simple: give people exactly the access they need to do their job, and nothing more. The implementation requires discipline.
Only what is needed, nothing more
Every user account should carry the minimum set of permissions required to perform the tasks assigned to that role. This is not a suggestion. It is the single most effective structural defence against both external compromise and internal error. When a marketing coordinator has the same administrative rights as the IT director, you have not saved time. You have created a vulnerability that no firewall or endpoint tool can compensate for.
Default to restricted, not open
The instinct in many small businesses is to grant broad access upfront and restrict later if problems arise. This is backwards. The correct approach is to start with zero access and add permissions as each role requires them. In Microsoft 365, this means assigning specific admin roles rather than handing out Global Administrator as a convenience. In file storage, it means structuring SharePoint sites and Teams channels with deliberate permission boundaries from day one.
Separate the person from the privilege
Administrative access should never be tied to a person’s primary identity. Your IT manager should log in each morning with a standard user account, the same as everyone else. When they need to perform an administrative task, they switch to a dedicated admin account that exists solely for that purpose. This separation means that if their everyday credentials are compromised through phishing or credential stuffing, the attacker gains access to email and documents, not to the control plane of your entire organisation.
Privilege is temporary, not permanent
Even for staff who genuinely need administrative access, that access should be time-bound wherever possible. Microsoft Entra ID supports Privileged Identity Management, which allows administrators to activate their elevated roles only when needed, for a defined period. Outside of that window, the account reverts to standard permissions. This dramatically reduces the attack surface and creates a clear audit trail of when and why elevated access was used.
“The question is never whether you can trust your people. The question is what happens when one of their accounts is compromised. The privileges attached to that account determine the scale of the damage.”
Why separate admin accounts are non-negotiable
The single most common admin access failure in small businesses is using the same account for daily work and administrative tasks. Your IT manager logs in to their regular Microsoft 365 account each morning, reads email, joins Teams meetings, clicks links in messages, opens attachments. That same account is a Global Administrator. Every phishing email that lands in their inbox is a direct attack on your organisation’s control plane.
Separating admin accounts means creating a dedicated account for administrative tasks that is never used for email, web browsing, or any activity that exposes it to attack. The naming convention is straightforward. If your IT manager’s regular account is jsmith@yourcompany.com, their admin account might be adm-jsmith@yourcompany.com. This account should not have a mailbox. It should not have a Microsoft 365 licence for productivity tools. It exists solely to perform administrative functions and should only be signed into when those functions are required.
The practical impact is significant. If the regular account is compromised through phishing, the attacker gains access to email and documents, which is bad but containable. They do not gain the ability to create new admin accounts, disable MFA across the tenant, modify conditional access policies, or wipe devices. The blast radius is dramatically reduced. For a change that costs nothing and takes less than an hour to implement, the security improvement is enormous.
This is also a Cyber Essentials requirement. The scheme explicitly requires that administrative accounts are separate from accounts used for general business activities such as email and web browsing. If your admins are using their everyday accounts for privileged tasks, you will not pass certification.
Role-based admin in Microsoft 365
Microsoft 365 provides more than sixty built-in administrative roles, each scoped to a specific set of capabilities. The vast majority of administrative tasks in an SME environment can be handled by five or six of these roles, none of which require Global Administrator access. Understanding and using these roles is one of the most effective ways to reduce your attack surface without reducing your operational capability.
The temptation to assign Global Admin is understandable. It is the path of least resistance. But every Global Admin account is a potential single point of total compromise. The roles below cover the administrative needs of almost every SME.
Global Administrator
This is the master key. A Global Administrator can change any setting, access any data, and modify any account across the entire Microsoft 365 tenant. Most organisations should have exactly two Global Admin accounts: one for the primary IT contact and one break-glass emergency account stored securely offline. If you have five people with Global Admin rights, you have five potential paths to total compromise. Reducing this number is often the single highest-impact security change an SME can make.
User Administrator
This role can create and manage user accounts, reset passwords, and assign licences. It cannot modify security settings, access compliance tools, or change tenant-wide configurations. For the person in your organisation who handles onboarding and offboarding, this is almost always the right level of access. They can do their job without being able to accidentally, or deliberately, alter your security posture.
Exchange Administrator
Controls email configuration, transport rules, mailbox permissions, and mail flow settings. This is appropriate for whoever manages your email environment. They can configure shared mailboxes, manage distribution lists, and troubleshoot delivery issues without having any access to Azure AD, SharePoint, or security settings. The principle is clear: access to email administration does not require access to everything else.
Security Administrator
Manages security policies, reviews threat alerts, configures Defender settings, and oversees identity protection. This role is read-write for security features but cannot manage users, licences, or service configuration. For organisations with a dedicated security function, or for the managed service provider handling your security, this provides exactly the access needed to protect the environment without the ability to change its structure.
SharePoint Administrator
Controls SharePoint Online and OneDrive for Business settings, including site creation, sharing policies, and storage quotas. In many SMEs, this role belongs to whoever manages your document structure and collaboration environment. They can control how files are shared externally, manage site permissions, and configure retention policies. None of this requires Global Admin, and granting Global Admin for these tasks is an unnecessary escalation of privilege.
Billing Administrator
Manages subscriptions, payment methods, and licence purchases. This is a purely commercial function and should sit with your finance or operations team. A Billing Administrator cannot access user data, change security settings, or modify any technical configuration. This clean separation ensures that the person managing your Microsoft spend cannot accidentally alter your security posture, and vice versa.
MFA for admin accounts
Multi-factor authentication is mandatory for all accounts, but for administrative accounts the stakes are materially higher and the MFA methods should reflect that. Standard MFA, such as SMS codes or simple push notifications, is vulnerable to attacks that specifically target privileged users. SIM swapping, MFA fatigue bombing, and real-time phishing proxies can all bypass basic MFA. Admin accounts deserve stronger protection.
FIDO2 security keys
Physical hardware keys, such as YubiKeys, that use public key cryptography to authenticate. They are immune to phishing because the authentication is bound to the specific website domain. Even if an attacker creates a perfect replica of your Microsoft login page, the key will not authenticate against the wrong domain. For admin accounts, this is the gold standard. A YubiKey costs around twenty to thirty pounds. Compared to the cost of a compromised Global Admin account, this is not an expense. It is insurance.
Microsoft Authenticator with number matching
The Authenticator app with number matching enabled requires the user to enter a specific number displayed on the sign-in screen into the app. This prevents MFA fatigue attacks, where an attacker repeatedly triggers push notifications hoping the user will approve one out of frustration. Number matching is now the default for new Microsoft 365 tenants, but older tenants may still be using simple approve/deny push notifications. Check your configuration and upgrade if necessary.
Certificate-based authentication
For organisations with an existing PKI infrastructure, certificate-based authentication provides strong, phishing-resistant MFA without requiring separate hardware tokens. The certificate is stored on the device or a smart card and is validated against Azure AD during authentication. This approach is more common in larger organisations, but it is worth noting for SMEs that already issue device certificates through Intune or a similar MDM platform.
“A twenty-pound security key on an admin account provides more protection than a twenty-thousand-pound firewall in front of a network where everyone is a Global Administrator.”
Regular access reviews
Getting admin access right is not a one-time exercise. Organisations change. People join, leave, and change roles. Contractors come and go. New services are deployed with new administrative interfaces. Without regular reviews, even a well-designed access model degrades over time. Privilege creep is the natural state of any environment that is not actively managed.
Export your current admin roster
Start by pulling a complete list of every account with any administrative role in your Microsoft 365 tenant. You can do this through the Microsoft 365 admin centre under Roles, or by running a PowerShell report against Azure AD. Include all role assignments, not just Global Admin. The results are often surprising. You will almost certainly find accounts that no longer need the access they have, accounts belonging to people who have left the organisation, and service accounts with elevated permissions that nobody remembers creating.
Validate every assignment against current job function
For each account with admin rights, ask a simple question: does this person need this specific level of access to perform their current role? Not the role they had six months ago. Not the role they might have next quarter. Their current, documented responsibilities. If the answer is no, or if nobody can clearly articulate why the access exists, it should be removed. This is not about being restrictive for its own sake. It is about ensuring that your access model reflects your actual operational reality.
Check for stale and orphaned accounts
Look for admin accounts that have not been used in 30, 60, or 90 days. An admin account that has not signed in for three months is either unnecessary or forgotten. Either way, it represents risk with no corresponding value. Disable it. If someone needs it reactivated, they can request it through your normal access management process. Also check for accounts belonging to former employees or former contractors. These are the accounts that attackers buy on dark web marketplaces.
Verify MFA status on every privileged account
Every account with any administrative role must have MFA enabled and enforced, not just registered. Check for accounts where MFA is registered but where conditional access policies allow bypass in certain conditions. Check for accounts using legacy authentication protocols that do not support MFA. Check for break-glass accounts that are excluded from MFA policies but are not secured with alternative controls. Any gap here is a gap an attacker will find.
Document and schedule the next review
Record the outcome of every decision: who has what access, why they have it, and when it was last validated. Put the next review in the calendar. Quarterly is the recommended cadence for most SMEs. For organisations handling sensitive data or operating in regulated sectors, monthly reviews of privileged access are appropriate. The documentation itself has value beyond security. It demonstrates due diligence for Cyber Essentials assessments, insurance claims, and any regulatory inquiry.
What breaches teach us about admin access
Theory is useful. Evidence is better. The most significant cyber security incidents of recent years share a common thread: the exploitation of administrative privileges. In every case, the scale of the damage was determined not by the sophistication of the initial attack, but by the privileges available once the attacker was inside.
The SolarWinds compromise
In the SolarWinds attack of 2020, the initial access vector was a supply chain compromise, but the attackers’ ability to move laterally and persist within victim organisations depended entirely on excessive administrative privileges. Organisations where admin accounts were tightly controlled, with separate identities, strong MFA, and limited scope, were able to contain the breach. Organisations with broad admin access across their environments suffered far greater damage. The lesson is straightforward: the size of the blast radius is determined by the privileges available to the compromised account.
The Uber breach of 2022
An eighteen-year-old attacker gained access to Uber’s internal systems by purchasing stolen credentials on the dark web and then bombarding an employee with MFA push notifications until they approved one. From there, the attacker found a PowerShell script on a network share containing hardcoded admin credentials for Uber’s privileged access management system. This gave them access to virtually everything. Two failures enabled this breach: MFA that was vulnerable to fatigue attacks, and administrative credentials stored in plaintext. Both are preventable with basic controls.
The MGM Resorts attack of 2023
The ALPHV/BlackCat ransomware group compromised MGM Resorts by social engineering the IT help desk into resetting MFA for a privileged account. The attacker found an employee on LinkedIn, called the help desk impersonating that employee, and convinced them to reset the account’s MFA registration. Within hours, the attacker had access to the identity provider and began deploying ransomware across the environment. The cost to MGM exceeded one hundred million dollars. The initial failure was a verification gap in the help desk process, but the extent of the damage was a direct consequence of the privileges attached to the compromised account.
Small business reality
These are headline incidents at large organisations, but the same patterns play out in small businesses every week. An accountancy firm where the managing partner’s Microsoft 365 account was Global Admin, compromised through a phishing email, leading to full tenant takeover. A recruitment agency where a former contractor’s admin account was never disabled, used six months later to exfiltrate the entire candidate database. A manufacturing company where every member of the IT team shared a single admin account with no MFA, compromised through credential stuffing. These are real incidents. They were all preventable.
Balancing security with productivity
The most common objection to tightening admin access is that it will slow people down. This concern is legitimate, but it is almost always overstated. The reality is that most administrative tasks in a typical SME are infrequent. Password resets, licence assignments, new user creation: these happen a few times a week at most. Switching to a dedicated admin account for these tasks adds perhaps thirty seconds of friction per occurrence.
The key is designing the model around how your organisation actually works, not around theoretical scenarios. If your office manager handles new starter onboarding, give them a User Administrator role on a dedicated admin account. They can create accounts and assign licences without being able to modify security policies or access other users’ data. If your finance director needs to manage Microsoft 365 subscriptions, a Billing Administrator role gives them exactly that capability. No one needs to be a Global Administrator to do their job.
For organisations that manage their IT through a managed service provider, the model is even simpler. The MSP holds the administrative accounts, secured with their own privileged access management controls. Internal staff operate as standard users. When something needs changing, they raise a request and the MSP handles it with appropriate oversight and audit logging. This is not about removing capability from your team. It is about placing that capability behind appropriate controls.
The organisations that get this balance right are not the ones that lock everything down and force people to submit tickets for every minor change. They are the ones that understand which tasks require elevation, design appropriate roles for those tasks, and make the process of using those roles as seamless as possible. Security and productivity are not opposing forces. Poor access design is what creates the conflict.
The cost of getting it wrong
Administrative access is the highest-value target in any organisation. The statistics reflect a consistent pattern: the majority of significant breaches involve the exploitation of privileged accounts, and the cost scales directly with the level of access compromised.
of breaches involve the exploitation of privileged credentials, according to Verizon DBIR 2024
average cost of a data breach in the UK, with compromised admin accounts among the most expensive vectors
average time to identify and contain a breach involving stolen credentials, per IBM Security
The break-glass account
Every organisation needs at least one emergency access account, commonly known as a break-glass account. This is a Global Administrator account that is not assigned to any individual, is not used for routine tasks, and exists solely as a failsafe for scenarios where normal admin access is unavailable. If your primary admin is locked out, if conditional access policies misconfigure and block all sign-ins, if MFA systems experience an outage: the break-glass account is your recovery path.
The break-glass account should have a strong, randomly generated password of at least 24 characters. This password should be printed, sealed in an envelope, and stored in a physical safe or other secure location. The account should be excluded from conditional access policies that might prevent its use during an emergency, but it should still have MFA registered, using a hardware key stored alongside the password. Monitor sign-in activity on this account with alerts. Any use of it should trigger an immediate investigation.
Do not skip this step. Organisations that reduce their Global Admin accounts to a single person without creating a break-glass account are one road traffic accident, one forgotten password, or one MFA device failure away from being permanently locked out of their own environment. Microsoft support can help in these situations, but the process is slow, requires extensive identity verification, and is not something you want to be navigating during a crisis.
Need help with admin access controls?
We help UK businesses audit, restructure, and manage administrative access across Microsoft 365 and Azure environments. That includes admin account separation, role assignment, MFA hardening, conditional access configuration, and ongoing privileged access reviews.
If you are not sure where you stand, a privileged access review takes around an hour and will give you a clear picture of your current exposure, along with a prioritised list of changes to reduce it.