As you probably all know by now the core Office 365 infrastructure is massive, and made up of many servers farms spanning the globe. There are backups of backups of backups everywhere to make sure it is resilient. Outside of the super infrastructure, as you can imagine the amount of Central Administration components are massive too and are being used to manage the farms, however due to the nature of it being a multi-tenant you don’t get access to the full central administration, but the tenant administration site instead.
So let’s think this for a second, we all know that SharePoint requires service accounts to run, so where are they? What are they? And do we really care?
Realistically Microsoft will never give us the service account details as the farm your tenant is on is used by multiple other people or organizations so that would mean you could mess with their tenant too. So what happens is we get our email address set as the tenant administrator or other accounts and we manage it that way.
So out of interest what are the accounts that Microsoft uses? This was a question posted to me on Twitter a while ago while I was travelling around, and had not had chance to post this blog post that has been hanging around for a while.
To see them you can access the “SharePoint Admin Center” and then click on the “User Profiles” link.
Once it has loaded, click the “Manage User Profiles” link
Now I am sure you have all used this before, this time however we are going to select “Active Profiles“, and then in the filter we will type “_spo“, this filter should then display five accounts that are the administration accounts for your farm, where your tenant resides. These are the service accounts and no doubt accounts used by administrators once in a while.
Of course we don’t know the passwords for these accounts, and Microsoft is not handing them out either. Anyway now you know the accounts are there and really what they actually get used for is only a guess, but would make complete sense based on how a SharePoint Infrastructure even in Multi-Tenant mode would work. So how could we check?
If we click onto one of the service account and select the menu and choose “Edit Profile” you will then be able to see other properties from the account, specifically “Active Directory” organizational location.
Scrolling down to the “Distinguished Name” field shows us this.
Mine for my tenant are stored in the full path:
CN=_SPOFrm_70_6564,OU=Service Accounts,OU=Accounts,DC=[removed],DC=MSOPRD,DC=MSFT,DC=NET
Notice the clear indicator that they are service accounts is based on the “OU” they reside in called “Service Accounts“.
So do we need to worry about these accounts? No not really, they are internal domain accounts isolated to the domain that the “SPO” farm resides in, and cannot be used to login with anyway from the outside or can they? Trying it ends up with this:
Maybe we can reset the password just for fun? If we try and access the password reset page and pass in the account then we fail as it does not recognize the account, which in all fairness was expected.
So back to the original question, do we need to worry about them? The answer is a great big “NO“, and nothing to see here so move on J
Good information. Thanks Liam! I especially like how you blur out the domain ylo0001 in a couple of screenshots, but leave it be in others 🙂
Thanks, glad it was useful. Yeah realized that after I posted it, but never got chance to change it. Not that it makes a different showing it, but changed it anyway 🙂