Tuesday 13 August 2019

Roles in O365

About admin roles

Your subscription comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers. For more information, see Assign admin roles

Things to consider...

Because admins have access to sensitive data and files, we recommend that you follow these guidelines to keep your organization's data more secure.
RecommendationWhy is this important?
Have 2 to 4 global adminsBecause only another global admin can reset a global admin's password, we recommend that you have at least 2 global admins in your organization in case of account lockout. But the global admin has almost unlimited access to your org's settings and most of the data, so we also recommend that you don't have more than 4 global admins because that's a security threat.
Assign the least permissive roleAssigning the least permissive role means giving admins only the access they need to get the job done. For example, if you want someone to reset employee passwords you shouldn't assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. This will help keep your data secure.
Require multi-factor authentication for adminsIt's actually a good idea to require MFA for all of your users, but admins should definitely be required to use MFA to sign in. MFA makes users enter a second method of identification to verify they are who they say they are. Admins can have access to a lot of customer and employee data and if you require MFA, even if the admin's password gets compromised, the password is useless without the second form of identification. 

When you turn on MFA, the next time the user signs in, they'll need to provide an alternate email address and phone number for account recovery. 
Set up multi-factor authentication

What's the least-permissive role?

The least permissive role means that you give a user only the access they need to do a task. Giving a user too many permissions can be a security risk.
For a list of the least permissive roles by task, see Least permissive role.

Need more details about what these roles can and cannot do?

In the Microsoft 365 admin center, go to Roles > Roles, and then select any role to open its detail pane. Select the Permissions tab to view the detailed list of what admins assigned that role have permission to do.
You can also view the brief descriptions later in this article: Roles available in the Microsoft 365 admin center.
If you don’t have access to the Microsoft 365 admin center, or if you’re looking for detailed information, including the cmdlets associated with a role, see Administrator role permissions in Azure Active Directory.

What about the Azure Active Directory roles?

The Azure portal has more roles than available in the Microsoft 365 admin center. If you have a large business, there might be roles in the Azure portal that meet your organizational needs.
For a list and description of all the Azure Active Directory roles, see Administrator role permissions in Azure Active Directory.
A user who is assigned an admin role will have the same level of access to cloud services that your organization has subscribed to, regardless of whether you assign the role in the Microsoft 365 admin center or the Azure portal, or by using the Azure AD module for Windows PowerShell.

Roles available in the Microsoft 365 admin center

The Microsoft 365 admin center lets you manage over 30 Azure AD roles. However, these roles are a subset of the roles available in the Azure portal.
You'll probably only need to assign the following roles in your organization.
Admin roleWho should be assigned this role?
Global adminAssign the Global admin role to users who need global access to most management features and data across Microsoft online services. 

Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. 

Only global admins can:
- Reset passwords for all users 
- Add and manage domains 

Note: The person who signed up for Microsoft online services automatically becomes a Global admin.
Billing adminAssign the billing admin role to users who need to do the following:
- Purchase subscriptions and licences 
- Upgrade subscriptions 
- Pay for services 
- Receive email notifications for invoices 
- Manage service requests 
- Monitor service health
Helpdesk adminAssign the Helpdesk admin role to users who need to do the following:
- Rest passwords 
- Force users to sign out 
- Manage service requests 
- Monitor service health 

Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.
License adminAssign the license admin role to users who need to do the following: 
- Manage licenses assigned to users 
- Manage licenses assigned to groups using group-based licensing.
- Edit usage location for users

Note: This role doesn't give permission to purchase or manage subscriptions, add or manage groups, or edit user properties, except for usage location.
Password adminAssign the password admin role to users who need to do the following: - Reset passwords 

Note: Password admins can only reset passwords for non-admin users and users assigned these roles: Directory reader, Guest inviter, and Password admins
Reports readerAssign the reports reader role to users who need to do the following: 
- View usage data and activity reports
- Access Power BI adoption content pack 
- View sign-in reports and activity 
- View data returned by Microsoft Graph reporting API
User adminAssign the User admin role to users who need to do the following for all users: 
- Add users and groups 
- Assign licenses 
- Manage most users properties 
- Create and manage user views 
- Update password expiration policies 
- Manage service requests 
- Monitor service health 

The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: 
- Manage usernames
- Delete and restore users
- Reset passwords 
- Force users to sign out 
- Update (FIDO) device keys

All roles

Here's a list of all the roles available in the Microsoft 365 admin center.
RoleDescription
Application adminFull access to enterprise applications, application registrations, and application proxy settings.
Application developerCreate application registrations and consent to app access on their own behalf.
Authentication adminCan require users to re-register authentication for non-password credentials, like MFA.
Azure Information Protection adminManages labels for the Azure Information Protection policy, manages protection templates, and activates protection.
Billing adminMakes purchases, manages subscriptions, manages service requests, and monitors service health.
Cloud application adminFull access to enterprise applications and application registrations. No application proxy.
Cloud device adminEnables, disables, and deletes devices and can read Windows 10 BitLocker keys.
Compliance adminManages regulatory requirements and eDiscovery cases, maintains data governance for locations, identities, and apps.
Conditional Access adminManages Azure Active Directory conditional access settings, but not Exchange ActiveSync conditional access policy.
Customer Lockbox access approverManages Customer Lockbox requests, can turn Customer Lockbox on or off.
Desktop Analytics adminCan access and manage Desktop management tools and services.
Dynamics 365 adminFull access to Microsoft Dynamics 365 Online, manages service requests, monitors service health.
Exchange adminFull access to Exchange Online, creates and manages groups, manages service requests, and monitors service health.
External identity provider adminConfigure identity providers for use in direct federation.
Global adminHas unlimited access to all management features and most data in all admin centers.
Guest inviterManages Azure Active Directory B2B guest user invitations.
Helpdesk adminResets passwords and re-authenticates for all non-admins and some admin roles, manages service requests, and monitors service health.
Kaizala adminFull access to all Kaizala management features and data, manages service requests.
License adminAssigns and removes licenses from users and edits their usage location.
Message center privacy readerAccess to data privacy messages in Message Center, gets email notifications.
Message center readerReads and shares regular messages in Message Center, monitors service health, gets weekly email digests.
Password adminResets passwords for non-admin users, Directory readers, Guest inviters, and Password admins.
Privileged role adminManages role assignments in manages all access control features of Privileged Identity Management.
Reports readerReads usage reporting data from the reports dashboard, PowerBI adoption content pack, sign-in reports, and Microsoft Graph reporting API.
Search adminFull access to Microsoft Search, assigns the Search admin and Search editor roles, manages editorial content, monitors service health, and creates service requests.
Search editorCan only create, edit, and delete content for Microsoft Search, like bookmarks, Q&A, and locations.
Security adminControls organization's security, manages security policies, reviews security analytics and reports, monitors the threat landscape.
Service adminCreates service requests for Azure, Microsoft 365, and Office 365 services, and monitors service health.
Skype for Business adminFull access to all Teams and Skype features, Skype user attributes, manages service requests, and monitors service health.
SharePoint adminFull access to SharePoint Online, manages Office 365 groups, manages service requests, and monitors service health.
Teams adminFull access to Teams & Skype admin center, manages Office 365 groups and service requests, and monitors service health.
Teams communication managerAssigns telephone numbers, creates and manages voice and meeting policies, and reads call analytics.
Teams communication support engineerReads call record details for all call participants to troubleshoot communication issues.
Teams communication support specialistReads user call details only for a specific user to troubleshoot communication issues.
User adminResets user passwords, creates and manages users and groups, including filters, manages service requests, and monitors service health.

No comments:

Post a Comment