Which accounts are considered billable accounts in SaaS Alerts?
- If an account can log in, the account is monitored and considered billable. The Microsoft account terms User, Member, and Guest include Shared Mailboxes, Guests, and Resource accounts which are all considered Active users in Microsoft's admin portal. Note that just because an account does not have a license does not mean it is not billable.
- Microsoft recommends that shared mailboxes and resource accounts be configured to block sign-in. If blocking sign-in is enabled, the account is not counted as billable for SaaS Alerts monitoring purposes.
- Each MSP is provided one domain within SaaS Alerts for which all of the users are not counted as billable. This domain will ALWAYS be the domain with which the MSP registered for their SaaS Alerts Partner account. The purpose of the NFR organization is to allow MSP Partners to monitor internal team members at no cost. SaaS Alerts also does not consider any user account in the MSP Tools Category to be a billable account (that is, IT Glue, Ninja).
- Guest accounts are currently excluded from the billable user count. However this policy is subject to change
- SaaS Alerts attempts to identify universal service accounts for 3rd party products such as cloud backup or AD Sync and excludes such accounts from the billable user count. If a SaaS Alerts Partner has identified a 3rd party service account that should be considered for billing exclusion, they should contact SaaS Alerts support or their account management representative. SaaS Alerts does not create a custom exclusion list for Partners or Customer Organizations. Rather if a service account name is used universally across multiple Partners or Customer Organizations it may be considered for billing exclusion.updated May 31st, 2024
How does a partner control if an account has access?
Selecting an account and then selecting "edit" will allow the partner to manipulate the account to enable or prevent access.
If Sign In Prohibited is set to No, the account has access. If set to Yes, the account does not have access.
If an account can be accessed, it presents an attack surface that a malicious actor can use for reconnaissance to work towards the goal of compromising the tenant domain.
User changes made in Microsoft and Google will update in the UI the next day after making updates.
What is an example use case for a member account with blocked access?
The most common would be a company resource such as a conference room or company car that is used to create reservations.
When these accounts are created, the Block sign-in setting should be set to Yes to prevent unauthorized access from an open account.
Reservations can still be made for these resources in the location field when scheduling an event via Outlook Calendar. The resource account will still respond as to the availability of the resource.
Special note about partner global admin accounts for their tenant
Some Partners may try to make the case that the admin account they use to manage the tenant should not be monitored or considered a billable account by SaaS Alerts.
It is absolutely essential that these accounts are monitored as their admin role presents the most significant risk possible to the tenant domain. Microsoft actually recommends that every domain has one or more accounts used as an emergency Admin account that is not intended to be accessed unless the domain is inaccessible by other means.
At least one of these accounts should not be configured with MFA as these are last-resort domain access accounts. The account should also never have the word "admin" in its user name.
An upcoming feature from SaaS Alerts will allow these accounts to be set so that any access attempt or activity will automatically trigger a critical alert. Like other partner accounts in customer tenants, these accounts will be monitored and will incur a monitoring charge.
