Some customers are concerned that the requirement of matching email addresses between the Office365 global administrator and the CloudSOC sysadmin breaks the segregation of duties - This can potentially allow the Office 365 administrators to access the CloudSOC environment with the sysadmin privilege or the other way around.

This article discusses the strategy to keep the access separate to each team so the Office administrator cannot access CloudSOC or vice versa.

There 2 approaches to activate the Office 365 Securlets without sharing the credentials:

• Use existing Office365 Global Admin
  • Create a new user in CloudSOC that matches the username as the GA account's username (CloudSOC user's email field = GA admin's username)
  • Reset the password in the CloudSOC Users settings so that only the CloudSOC admin team can access this newly created user
  • Promote the CloudSOC user to sysadmin during the activation change window
  • During the activation session, use a video conferencing tool and present the screen to the Office administrators
  • Log in to CloudSOC as the sysadmin created above to activate the Securlet
  • When prompted to enter the GA account credential, pass the remote control to the O365 Team to keep the confidentiality of the GA account
  • After the O365 team enters the GA account credential and successfully activates the Securlet, change this CloudSOC sysadmin back to an end-user and/or deactivate this CloudSOC user
• Create a new Office365 Global Admin
  • Create a new O365 Global Admin
    • Note that you do not need to create the mailbox or assign an Exchange license to this user
  • Create a corresponding CloudSOC sysadmin
    • Note the Office365 user's username filed should match the CloudSOC User's email filed
  • Activate the Securlet
  • After the activation completes, the O365 admin team can demote the GA account to a regular user, but the user should not be fully removed. The CloudSOC admin team can perform the same action for the sysadmin account.