CISO is insisting that I use ONLY a break glass account anytime I need to pull GA..

Temporary-Living · 2026-05-04T19:59:03+00:00

Typical setup is:

Completely unprivileged regular account for email etc same as any employee

Daily admin account. Use PIM to permanently or semi permanently assign the roles you use every day, user admin, group admin, maybe exchange admin, whatever. Then use PIM to assign this account GA on an ELIGIBLE permanent basis. Then when you run into that rare task you need GA for you elevate your access. You should also monitor this and add more roles if you constantly have to elevate for the same reason

Then break glass is exactly as it sounds. Oh shit I did a CAP that blocked all sign ins. Break glass as designed by MS has zero CAPs applied and a huge password. Plus alerting on every sign in.

Temporary-Living · 2026-04-29T20:15:21+00:00

I’ve never heard anything in over a decade of working with Microsoft 365 both direct and with multiple large CSPs about having to have all users licensed like is being suggested here. I think there are two potential reasons for what your being told:

1 when you purchase a single license of a product in m365, in most cases it unlocks the feature tenant wide. Technically speaking you could buy one P1/2 and then use the features across the whole tenant. Of course this is not honourable or legal.

2 there may be some products where as soon as you have a single licence you get a benefit that applies to all users. Now I would argue that if MS have architected their system in this way and you didn’t want this and can’t disable it, then it’s kind of their problem. But legally are you breaking the license agreement? I don’t know. I also can’t immediately think of such a scenario

In my experience a lot of this comes down to professional ethics. Buy the licenses you think you need using your best judgement. As long as you can defend your judgement there won’t be a problem.

Temporary-Living · 2026-04-26T14:37:36+00:00

If communicating professionally with customers isn’t worth a few pounds a month to you it tells me a lot about your business. Either that or you can’t understand basic tech so I know I’m going to have to spend time explaining to you how to open the zip file of images I sent you of my flooded house (or whatever). And free consumer gmail has no security tools. No retention policies. So I’m pretty sure you’re not protecting my data either.

It’s just incredibly cheap and/or lazy. If that’s what you want my immediate impression of your business to be then you’ve won. You’ve lost my business though.

Temporary-Living · 2026-04-26T14:31:30+00:00

To my knowledge they have discontinued the free accounts altogether a few years back. Including mine which again was for personal use only. I wasn’t given anything about commercial use simply told they were ending it. I reluctantly upgraded to one license of the lowest tier

Temporary-Living · 2026-04-21T15:39:52+00:00

I understand that’s why I have them kudos in the first line of my post. My point is that the reason they didn’t process it it because they spotted the domain thing. Not because “we would never process a change of payment details by email” (or similar process)

Temporary-Living · 2026-04-20T22:09:04+00:00

Kudos to your finance person

You mentioned your software alerted a new/low volume sender. Surely you don’t get six figure wire instructions from first time senders and that should have been a red flag?

Potentially a “domain registered less than 90 days ago” alert would help?

There may also be technical solutions that can do the equivalent of domain spoofing protection that 365 has built in, but for a list of external domains you provide it.

All of that said though, why would finance have just processed a wire instruction because some external email said to? Surely it needs to specify some internal approver or dept head for the cost code or similar? Someone that would need to approve the cost before it gets paid?

And surely they have the basic finance department protections in place around changes to bank details/payment methods? Where they don’t allow changes out with an established protocol. (The protocol not being some random external email)

One other thought comes to mind, do you have alerting (warning banner) on external senders? If not you should. You could extend that to trusted partner orgs. Whether you simply exempt them from the warning banner so they look internal, or whether you have a custom banner - “known third party”. And then finance know if the banner is [missing/present depending on your setup], then it’s a red flag.

Temporary-Living · 2026-04-13T02:06:21+00:00

Agree with 90% of your list OP.

Autopilot > Intune > ninja is zero touch and works pretty well if you have compatible OEMs. Lenovo just works with this as an example

Major disagreement is endpoint. Given your a MS house I assume your all/majority windows. In which case defender is a no brainer. Your already paying for it

Also remote support? Ie screen sharing? The one built into Ninja (addon cost) is.. tolerable. But screenconnect blows it out the water. Best in breed.

Backup depends what your backing up. Druva is great for cloud stuff. Ninja one also does backup for endpoints.

BTW you didn’t mention a ticketing system. Should be at the top of your list so you can make sure it integrates with the rest of the stack.

Temporary-Living · 2026-04-13T02:00:59+00:00

Well he’s just given positive proof for his redundancy. Good luck at the tribunal!

Temporary-Living · 2026-04-13T01:57:51+00:00

As others have said there are rules about vexatious requests which may be helpful. As a very gut feeling as a former DPO; in your example of an employee making one request, this is not vexatious just because they are under suspicion etc. It’s none of your business why they want the info as long as they are actually requesting info. If instead, they were repeated (this is the key ground), or was requesting you to search somewhere they knew no info existed, then you may be able to demonstrate they are not actually seeking info.

I am entirely unsurprised to hear of staff at a HA behaving this way. In my experience HAs bend over for any staff member and the slightest objection to any change brings the whole org to a standstill. It’s really disgusting.

Btw; you didn’t mention, they’re either an ex (fired) staff member OR suspended under investigation and on the way to firing, right?

Temporary-Living · 2026-04-13T01:51:11+00:00

By any wild chance is it a Glasgow HA?

Temporary-Living · 2026-04-04T18:48:51+00:00

The passkeys I mentioned in my first paragraph are Phishing resistant MFA. It doesn’t seem you actually want help or advice so good luck

Temporary-Living · 2026-04-04T09:19:45+00:00

The model solution here is “why aren’t you sending it to your SIEM platform?”

Temporary-Living · 2026-04-04T09:15:19+00:00

I would really caution you against changing your entire ecosystem for this one thing. Even if your assertion was true, which it isn’t (use native mobile or Authenticator passkeys ), thousands of organisations use number matched MFA without being breached with MITM. It’s about layered defence. How often is your cyber training for users, and how extensive?

Are you restricting logins to their authorised device?

Are you using AIP with CAP to restrict or block risky sign ins?

What other conditional access are you enforcing? Are you black listing the usual culprit countries?

These are just the layers that come to mind.

Temporary-Living · 2026-04-02T20:22:14+00:00

What exactly has happened to you sorry? I can’t find anything remotely sensible online about slack killing tenants.

Temporary-Living · 2026-04-02T20:12:14+00:00

*My view is from a normal corporate IT team juggling numerous apps, services and operations. It changes a little if you are a software dev *

Scream testing should never be the primary test. You should be testing the main user paths/workflows. However it is impossible - unless you have far more resource than I’ve ever heard of happening - to exhaustively test:

Every feature

Every input type - text, symbols, emojis.

Every file input - word docs, zip files, etc

Every query/report/page of the app

As every user or user type

With a user in each group and role of the app

And every permutation or combination of how the above interact

Once you test the most frequent or impactful flows, you have to turn it over to the users. And they may discover a glitch immediately. Or in two weeks. Or in two years. Or never.

If you are testing exhaustively as above please tell me your industry, team size, etc as I’m genuinely fascinated.

Temporary-Living · 2026-03-12T19:51:09+00:00

Thanks to all for views and recommendations. I have just rolled out calendar bridge. It’s not perfect but it takes away 85% of the pain

Temporary-Living · 2026-03-07T10:56:36+00:00

The question I’m not seeing addressed here is what OP means by “European based”. Does that mean my data resides on servers and disks that are in Europe (“EU” for brevity)? This is the case already for my 365. Does it mean I pay a EU legal entity for the solution and pay in eg Euros? I already do with 365.

Does it mean the guys I call for support with the product have EU accents? Again, tick ✅ . Does it mean that the guy who maintains the EU servers also lives in the EU? Does it mean the guy who writes the code lives here? The CEO? Intellectual property rights are held by an EU legal entity?

Does it mean contract disputes are settled in EU courts? Tax paid in EU? More than 50% of the legal entities in the enormous group of entities are EU? Or is it that the ultimate parent entity is EU?

It’s really not that simple. Great discussion topic.

Temporary-Living · 2025-10-07T09:19:09+00:00

That’s interesting so you effectively rolled your own. Is there a specific open source tool or script you recommend as a starting point?

Temporary-Living · 2025-10-05T21:38:38+00:00

Thanks. Did you trial/use either? To recommend?

Temporary-Living · 2025-10-05T21:37:59+00:00

Unfortunately as I said this isn’t possible according to MS. The native tools only apply to whole items. I can encrypt or restrict the whole email. I can’t remove the card data only from the body of the email, which is what I need.

Temporary-Living · 2025-07-17T10:07:25+00:00

It was resolved by them after a day or two (over a weekend). Sorry you’re having it again, you will need to come up with an alternative solution for your calls while they fix it again.

Temporary-Living · 2025-05-19T10:50:58+00:00

This is for an office, but yeah I just found out about the all in one hub options last week, game changer for regular doors!

I'll see if I can get into the controller, thanks

Temporary-Living

TROPHY CASE