How it works: CoreView Admin Account

Modified on Mon, 18 Jul 2022 at 09:27 AM

Note: this article applies to customers that joined CoreView before May 2022. All new activations use our Secure By Default configuration, where Global Admin role is not required anymore.


This article will cover how to remove the global admin role from the CoreView admin account. 


Overview 

CoreView creates an administrative account in our customers’ M365 accounts to act as the user that performs management activities within Microsoft. In other words, an operator will trigger a management action such as editing a user within CoreView, but the CoreView administrative account is the one that will perform the action within Microsoft. Historically, CoreView has required that this account be a global administrator to ensure it can perform any actions that might be needed.   


Given changes in security best practices, CoreView recognizes that dependence on a Global Administrative account can create undue risk. In our new Secure by default configuration, following roles are assigned to CoreView Admin account:  

 

  • Global Reader
  • Exchange Administrator
  • Teams’ Administrator
  • User Administrator 
  • Authentication Administrator
  • SharePoint Administrator
  • Privileged Authentication Administrator  
  • Privileged Role Administrator 


Without the Global Administrative privileges, the CoreView product will have the following limitations:   

  • Cannot disable or delete a user with any Admin Role
  • Cannot edit the Password of a user with any Admin Role

 

How to change permissions for existing admin accounts  

For any existing CoreView customers, no changes will apply to your existing environment. If you would like to remove the Global Administrative role from your CoreView administrative account, you can perform the following steps.  

Note: Please close your advanced management session (if opened) and then you can assign the following permissions from section “Manage admin roles” of your Company Administrator user’s card from Office 365 Admin Center: 

Graphical user interface, text, application, email 
Description automatically generated 

 

 

 

 

Please be sure to remove Global Administrator role from your list and assign the missing ones from the “Show all by category” section: 

 

Graphical user interface, text, application 
Description automatically generated 

 

Click on the “Save Changes” blue button after you modified the permission assigned. 

 

Password Rotation  

Password rotation is achieved by adding the following Identity roles to the “4ward365” user:   

  • Privileged Authentication Administrator  
  • Privileged Role Administrator 

 

 

We have two rotation strategies in place:      

  • For Advanced User Management: Password is automatically changed every 7 days and saved in CoreView Azure Key Vault - this is the password associated with the account named 4ward.admin@yourdomain.onmicrosoft.com 
  • For Service Account such as coreview.reportsXY@yourdomain.onmicrosoft.com: Password is not changed but using a long and complex pattern. The encryption key is rotated once per month and saved in CoreView Azure KeyVault


Re-enabling Global Admin privileges  

If you want the CoreView application to be able to disable and manage passwords for Admins, you can add the Global Administrator role to the “company administrator” user.  

 


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article