We use cookies to improve your experience and optimize user-friendliness. Read our cookie policy for more information on the cookies we use and how to delete or block them. To continue browsing our site, please click accept.

Best Practices and How to Access Office 365 Security and Compliance Center

Welcome back for round two of permissions in Office 365/Microsoft 365. In my last blog, I presented some best practices around Admin roles that can be used to target Microsoft 365 workloads such as Exchange Online, Microsoft Teams or SharePoint Online. In this post, we will specifically talk about how to access Office 365 Security and Compliance Center and a set of new roles that can be used while managing permissions from a tenant security/compliance angle.

The Microsoft 365 Security Center and How to Access

Regarding where to access what, we are currently working with three (three and a half to be more precise) different portals. I will attempt to clarify this for you below.

  • Security and Compliance Center (legacy): This is the legacy Security and Compliance portal. While features are being moved over to newer portals, there are still plenty of options that can be accessed via this site, such as Threat Management (anti-spam, anti-phishing, etc.), Audit Logs and much more.
  • New Security (not entirely done): More functionality will be added over time. A secure score can be found here as well as some classification features, among other things.
  • New Compliance Center (not entirely done): More functionality will be added over time. For now, this portal mainly provides access to Compliance Score and Data Classification (labels). To make things confusing, you also will notice some features are available in both legacy and new portals, but rest assured, configuration changes made in one portal are automatically saved in both portals.
    •  Microsoft Compliance Manager: This is a more robust Compliance tool that can provide detailed information on regulations your organization must follow and allows you to track related activities directly within the portal. Compliance Manager has recently been moved to the New Compliance Center.

Given that the current experience is somewhat disjointed, my recommendation is to bookmark all three portals, start with protection.office.com and go over to the new portals for additional capabilities.

For questions or further assistance with Office 365, please contact a member of Withum’s Digital and Technology Transformation team.

Best Practices to Manage Permissions in the Security and Compliance Center

In the Security and Compliance Center, the permissions are composed of two different layers:

  1. A role group includes a set of multiple permission types that would allow a specific user to perform all their required activities (e.g., Global Reader must be able to View-Only Audit Logs, be a Security Reader, View-Only DLP Compliance Management, etc. to perform an audit).
  2. A role is a specific level of permissions that a user can be granted (e.g., View-Only Audit Logs, View-Only Device Management, etc.).

My recommendation is to first assign users directly into a role group. Once you have done this, each user will be allocated a certain number of responsibilities.

Given the extensive list of roles groups, I have highlighted the most common types you may want to leverage below:

Role group Description
Compliance Administrator Members can manage settings for device management, data loss prevention, reports, and preservation.
Data Investigator Members can perform searches on mailboxes, SharePoint sites, and OneDrive accounts.
eDiscovery Manager Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery.

An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:

  • View all eDiscovery cases in the organization.
  • Manage any eDiscovery case after they add themselves as a member of the case.
Global Reader Members have read-only access to reports, alerts, and can see all the configuration and settings.

The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings.

Organization Management1 Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation.

Users who are not global administrators must be Exchange administrators to see and take action on devices managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM).

Global admins are automatically added as members of this role group.

Quarantine Administrator Members can access all Quarantine actions. For more information, see Manage quarantined messages and files as an admin in EOP.
Security Administrator Members have access to several security features of the Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center.

By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory.

To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see  Administrator role permissions in Azure Active Directory. If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.

This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center.

The full list of role groups can be found here.


The last two blogs regarding permissions in the cloud have allowed you to see the breadth of options at your disposal from various administrative portals. We typically see organizations leverage both sets of roles: Office 365 Roles for their IT administrators who oversee managing specific services and Microsoft 365 Security/Compliance roles who oversee Security or Legal duties.

A small business will typically provide elevated rights to all Microsoft services to their IT Admins and may not need to touch the Security and Compliance Roles. However, as your company grows, more people will need to manage your Microsoft environment.  To assist with this, it is a best practice to segment your permissions by splitting service management into multiple people (and keeping your number of Global Admins to a minimum) and by having different users be responsible for Compliance work, eDiscovery requests, etc.

Digital and Technology Transformation

Previous Post
Next Post
Article Sidebar Logo Stay Informed with Withum Subscribe Now


Get news updates and event information from Withum