MS-100 Manage User Roles

May 31st, 2019 | Posted by admin in Exchange

Plan User Roles

Below are the admin roles available in Azure AD. We can plan to designate the roles to user who manage the Microsoft 365 Services.


To manage User Settings

From the Azure AD Portal, navigate to Azure Portal -> Azure AD -> User Settings to manage the below options


Plan the Enterprise Application settings required for your organization


Are you going to restrict access to Azure AD Administration Portal?


Allow \ Restrict users to register an application on their own


Manage external Collaboration Setting


Allocate Roles in workloads

By default, Tenant admin \ Global Admin will have full access to all the Microsoft 365 workloads. In addition, Global Admin can designate other users as administrators on specific Microsoft 365 workloads like EXO and SPO

Exchange Online

Below are Roles Available in Exchange Online, we have the RBAC option to define granular permission based on our requirement.


Skype for Business and Microsoft Teams

Below are the default admin roles available for Skype for Business and Microsoft Teams


SharePoint and OneDrive

SharePoint Online and OneDrive for Business Administrator has only one default admin role – SharePoint Administrator. To give granular control we can assign the particular users are Site Collection Administrators.

Configure Administrative Accounts:

We know the below administrative accounts in Azure AD and this can be delegated to respective service administrator.


We can configure below steps to monitor administrative accounts.

  • Configure MFA to protect those accounts
  • Configure Conditional Access Policy to allow the administrator account usage only from Corporate Network
  • Configure Access Reviews for the Administrative Role Groups
  • Configure Identity Protection for Administrative Accounts
  • Use PIM to elevate the permission temporary

Configure RBAC within Azure AD


Delegate admin rights

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-concept-delegation

Manage admin roles


To assign an Azure AD Role,

Open the User properties and assign the above admin roles based on the service that he is managing.

To view the sign in logs, user has to be member of Security Administrator, User Administrator and Compliance Management Role.

Manage role allocations by using Azure AD

Plan security and compliance roles for Microsoft 365

Security and Compliance

We have the below Default Roles Groups available in Security and Compliance. We can customize this based on our requirement with 29 Roles.

  • Reviewer: Use a limited set of the analysis features in Office 365 Advanced eDiscovery. Members of this group can see only the documents that are assigned to them
  • Records Management: Members of this management role group have permissions to manage and dispose record content.
  • Security Administrator: Members has permission like Security Reader + DLP Compliance Management, Device Management and Audit Logs
  • Organization Management: Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group should not be deleted.
  • Supervisory Review: Members can Control policies and permissions for reviewing employee communications.
  • Compliance Administrator: Members can manage settings for device management, data loss prevention, reports, and preservation.
  • Security Reader: Members can View the Alerts, View DLP Compliance Management, View Device Management and Security Reader
  • eDiscovery Manager: Members can Perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations
  • Service Assurance User: Members can review documents related to security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own organization
  • Mail Flow Administrator: View Only Recipient Role Assigned

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply