Billable Accounts Definition
Which accounts are considered "billable" account in SaaS Alerts?
- If an account can log in the account is monitored and considered billable
- Microsoft recommends that shared mailboxes and resource accounts be configured to "block sign-in" If "block sign-in" is enabled, the account is not counted as billable for SaaS Alerts monitoring purposes.
- Each MSP is provided one domain within SaaS Alerts for which all of the users are not counted as billable. This domain will ALWAYS be the domain with which the MSP registered for their SaaS Alerts Partner account. The purpose of the NFR organization is to allow MSP Partners to monitor internal team members at no cost. SaaS Alerts also does not consider any user account in the MSP Tools Category to be a billable account (i.e. IT Glue, Ninja ).
- Guest accounts are currently excluded from the billable user count. However this policy is subject to change
- SaaS Alerts attempts to identify universal service accounts for 3rd party products such as cloud backup or AD Sync and excludes such accounts from the billable user count. If a SaaS Alerts Partner has identified a 3rd party service account that should be considered for billing exclusion, they should contact SaaS Alerts support or their account management representative. SaaS Alerts does not create a custom exclusion list for Partners or Customer Organizations. Rather if a service account name is used universally across multiple Partners or Customer Organizations it may be considered for billing exclusion.
updated May 31st, 2024
How does a partner Control if an account has access?
Selecting an account and then selecting "edit" will allow the partner to manipulate the account to enable or prevent access.
If "Sign In Prohibited" is set to No - the account has access.
If set to YES - the account does not have access.
Please note that user changes made in Microsoft and Google will update in the UI the next day after making updates.
What is an example use case for a member account with blocked access?
The most common would be a company resource such as a conference room or company car that is used to create reservations.
Reservations can still be made for these resources in the "location" field when scheduling an event via Outlook Calendar. The resource account will still "respond" as to the availability of the resource.
When these accounts are created, the "Block sign in" setting should be set to "Yes" to prevent unauthorized access from an open account.
Reservations can still be made for these resources in the "location" field when scheduling an event via Outlook Calendar. The resource account will still "respond" as to the availability of the resource.
Special Note about Partner global admin accounts for their tenant
Some Partners may try to make the case that the admin account they use to manage the tenant should not be monitored or considered a billable account by SaaS Alerts.
It is absolutely essential that these accounts are monitored as their admin role presents the most significant risk possible to the tenant domain. Microsoft actually recommends that every domain has one or more accounts used as an emergency Admin account that is not INTENDED to be accessed unless the domain is inaccessible by other means.
At least one of these accounts should not be configured with MFA as these are "last resort" Domain access accounts. The account should also never have the word "admin" in its user name.
Looking in the Respond Module, we have a Rule Template called "Breakglass Account Alert" to alert on these type off accounts so that ANY access attempt or activity will automatically trigger a critical alert.
Like other partner accounts in customer tenants, these accounts will be monitored and will incur a monitoring charge.
Additional information on "Break Glass" Accounts
Comments
0 comments
Please sign in to leave a comment.