Plan User Roles
Below are the admin roles available in Azure AD. We can plan to designate the roles to user who manage the Microsoft 365 Services.
To manage User Settings
From the Azure AD Portal, navigate to Azure Portal -> Azure AD -> User Settings to manage the below options
Plan the Enterprise Application settings required for your organization
Are you going to restrict access to Azure AD Administration Portal?
Allow \ Restrict users to register an application on their own
Manage external Collaboration Setting
Allocate Roles in workloads
By default, Tenant admin \ Global Admin will have full access to all the Microsoft 365 workloads. In addition, Global Admin can designate other users as administrators on specific Microsoft 365 workloads like EXO and SPO
Below are Roles Available in Exchange Online, we have the RBAC option to define granular permission based on our requirement.
Skype for Business and Microsoft Teams
Below are the default admin roles available for Skype for Business and Microsoft Teams
SharePoint and OneDrive
SharePoint Online and OneDrive for Business Administrator has only one default admin role – SharePoint Administrator. To give granular control we can assign the particular users are Site Collection Administrators.
Configure Administrative Accounts:
We know the below administrative accounts in Azure AD and this can be delegated to respective service administrator.
We can configure below steps to monitor administrative accounts.
- Configure MFA to protect those accounts
- Configure Conditional Access Policy to allow the administrator account usage only from Corporate Network
- Configure Access Reviews for the Administrative Role Groups
- Configure Identity Protection for Administrative Accounts
- Use PIM to elevate the permission temporary
Configure RBAC within Azure AD
Delegate admin rights
Manage admin roles
To assign an Azure AD Role,
Open the User properties and assign the above admin roles based on the service that he is managing.
To view the sign in logs, user has to be member of Security Administrator, User Administrator and Compliance Management Role.
Manage role allocations by using Azure AD
Plan security and compliance roles for Microsoft 365
Security and Compliance
We have the below Default Roles Groups available in Security and Compliance. We can customize this based on our requirement with 29 Roles.
Reviewer: Use a limited set of the analysis features in Office 365 Advanced eDiscovery. Members of this group can see only the documents that are assigned to them
Records Management: Members of this management role group have permissions to manage and dispose record content.
Security Administrator: Members has permission like Security Reader + DLP Compliance Management, Device Management and Audit Logs
Organization Management: Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group should not be deleted.
Supervisory Review: Members can Control policies and permissions for reviewing employee communications.
Compliance Administrator: Members can manage settings for device management, data loss prevention, reports, and preservation.
Security Reader: Members can View the Alerts, View DLP Compliance Management, View Device Management and Security Reader
eDiscovery Manager: Members can Perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations
Service Assurance User: Members can review documents related to security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own organization
Mail Flow Administrator: View Only Recipient Role Assigned