Welcome back for round two of permissions in Office 365/Microsoft 365. In my last blog, I presented some best practices around Admin roles that can be used to target Microsoft 365 workloads such as Exchange Online, Microsoft Teams or SharePoint Online. In this post, we will specifically talk about how to access Office 365 Security and Compliance Center and a set of new roles that can be used while managing permissions from a tenant security/compliance angle.
Regarding where to access what, we are currently working with three (three and a half to be more precise) different portals. I will attempt to clarify this for you below.
Given that the current experience is somewhat disjointed, my recommendation is to bookmark all three portals, start with protection.office.com and go over to the new portals for additional capabilities.
In the Security and Compliance Center, the permissions are composed of two different layers:
My recommendation is to first assign users directly into a role group. Once you have done this, each user will be allocated a certain number of responsibilities.
Given the extensive list of roles groups, I have highlighted the most common types you may want to leverage below:
|Compliance Administrator||Members can manage settings for device management, data loss prevention, reports, and preservation.|
|Data Investigator||Members can perform searches on mailboxes, SharePoint sites, and OneDrive accounts.|
|eDiscovery Manager||Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery.
An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:
|Global Reader||Members have read-only access to reports, alerts, and can see all the configuration and settings.
The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings.
|Organization Management1||Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation.
Users who are not global administrators must be Exchange administrators to see and take action on devices managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM).
Global admins are automatically added as members of this role group.
|Quarantine Administrator||Members can access all Quarantine actions. For more information, see Manage quarantined messages and files as an admin in EOP.|
|Security Administrator||Members have access to several security features of the Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center.
By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory.
To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see Administrator role permissions in Azure Active Directory. If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.
This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center.
The full list of role groups can be found here.
The last two blogs regarding permissions in the cloud have allowed you to see the breadth of options at your disposal from various administrative portals. We typically see organizations leverage both sets of roles: Office 365 Roles for their IT administrators who oversee managing specific services and Microsoft 365 Security/Compliance roles who oversee Security or Legal duties.
A small business will typically provide elevated rights to all Microsoft services to their IT Admins and may not need to touch the Security and Compliance Roles. However, as your company grows, more people will need to manage your Microsoft environment. To assist with this, it is a best practice to segment your permissions by splitting service management into multiple people (and keeping your number of Global Admins to a minimum) and by having different users be responsible for Compliance work, eDiscovery requests, etc.