Welcome back for round two of permissions in Office 365/Microsoft 365. In my last blog, I presented some best practices around Admin roles that can be used to target Microsoft 365 workloads such as Exchange Online, Microsoft Teams or SharePoint Online. In this post, we will specifically discuss how to access the Office 365 Security and Compliance Center and a set of new roles that can be used while managing permissions from a tenant security/compliance angle.
The Microsoft 365 Security and Compliance Centers and How to Access
Microsoft has done a lot of work on all portals since this post was last published so I wanted to clarify things for you with the latest and greatest regarding this topic! We are now left with two robust Security and Compliance Portals for which I have highlighted a few key capabilities below:
- Security and Compliance Center (legacy): Services have now been moved to modern portals. Microsoft is in the process of decommissioning the legacy portal so no need to bookmark this one anymore.
- Security Center: Microsoft 365 Defender Portal - The main capabilities of this portal are:
- Email and Collaboration (including Email Protection via Defender for Office 365). We recommend investigating these capabilities, especially if you are already licensed for it, as a potential replacement from Mimecast for instance.
- Cloud Apps (Microsoft Defender for Cloud Apps) give you visibility over Shadow IT, third-party cloud services and reverse proxy. (Solution can work as a replacement for Cisco Umbrella CASB for example).
- Hunting, Incidents and Alerts Management
- Compliance Center: Microsoft Purview Compliance Portal - This is the portal that you can leverage to protect your sensitive information:
- Get to know your data by assessing your stale and unknown (dark) sensitive data
- Apply labels manually or automatically (according to your licenses) for your content across your M365 stack and take actions accordingly (e.g., block or encrypt if shared outside of the organization). This is a key measure to implement to prevent both intentional and unintentional data leaks outside of your tenant.
- Keep track of your company requirements for compliance by leveraging Microsoft Compliance Templates which are pre-configured with industry standards.
- Microsoft Compliance Manager: This is a more robust Compliance tool that can provide detailed information on regulations your organization must follow and allows you to track related activities directly within the portal. Compliance Manager has been moved to the Microsoft Purview Portal.
The amount of settings being displayed can be overwhelming. In addition, you may see capabilities on your portal that you are not licensed for. My recommendation is to:
- Get a solid understanding of what services your Microsoft licenses currently include.
- Next, identify what other third-party tools you are currently paying for. You might already be paying for Defender for Office 365 but also paying for a third-party email filtering service which would give you the opportunity to consolidate and cut costs.
- While there is a ton of valuable data on those portals, you need to ensure your processes include automation, notifications, investigations, etc.… of sensitive actions taking place within tenants. All too often, data is compromised within a tenant, but organizations are unaware of such actions taking place until it is too late. Make sure to set up appropriate controls as preventive measures!
Best Practices to Manage Permissions in the Security and Compliance Center
In the Security and Compliance Center, the permissions are composed of two different layers:
- A role group includes a set of multiple permission types that would allow a specific user to perform all their required activities (e.g., Global Reader must be able to View-Only Audit Logs, be a Security Reader, View-Only DLP Compliance Management, etc. to perform an audit).
- A role is a specific level of permissions that a user can be granted (e.g., View-Only Audit Logs, View-Only Device Management, etc.).
My recommendation is to first assign users directly into a role group. Once you have done this, each user will be allocated a certain number of responsibilities.
Given the extensive list of roles groups, I have highlighted the most common types you may want to leverage below:
|Compliance Administrator||Members can manage settings for device management, data loss prevention, reports, and preservation.|
|Data Investigator||Members can perform searches on mailboxes, SharePoint sites, and OneDrive accounts.|
|eDiscovery Manager||Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery.
An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:
1. View all eDiscovery cases in the organization.
2. Manage any eDiscovery case after they add themselves as a member of the case.
|Global Reader||Members have read-only access to reports, alerts, and can see all the configuration and settings.
The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings.
|Organization Management1||Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation.
Users who are not global administrators must be Exchange administrators to see and take action on devices managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM).
Global admins are automatically added as members of this role group.
|Quarantine Administrator||Members can access all Quarantine actions. For more information, see Manage quarantined messages and files as an admin in EOP.|
|Security Administrator||Members have access to several security features of the Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center.
By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory.
To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see Administrator role permissions in Azure Active Directory. If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.
This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center.
The last two blogs regarding permissions in the cloud have allowed you to see the breadth of options at your disposal from various administrative portals. We typically see organizations leverage both sets of roles:Microsoft 365 Roles for their IT administrators who oversee managing specific services and Microsoft 365 Security/Complianceroles who oversee Security or Legal duties.
A small business will typically provide elevated rights to all Microsoft services to their IT Admins and may not need to touch the Security and Compliance Roles. However, as your company grows, more people will need to manage your Microsoft environment. To assist with this, it is a best practice to segment your permissions by splitting service management into multiple people (and keeping your number of Global Admins to a minimum) and by having different users be responsible for Compliance work, eDiscovery requests, etc.