Planning and Allocating Roles
Delegating and Managing Access
Planning Security and Compliance Roles
The course is part of this learning path
This Managing Azure AD User Roles course will teach you how to plan user roles in Microsoft 365 and how to allocate roles in workloads. You will learn how to configure administrative accounts and how to configure RBAC within Azure AD. You'll also learn how to delegate and manage admin roles.
Later in the course, you will learn how to manage role allocations by using Azure AD and how to plan security and compliance roles for Microsoft 365.
- Plan and Allocate User Roles
- Configure Role-Based Access (RBAC)
- Delegate and Manage Admin Access
- Plan Security and Compliance Roles
- IT professionals who are interested in obtaining Microsoft 365 certification
- Those tasked with configuring and managing Office 365 access
- A moderate understanding of Microsoft 365 and of Azure AD
When planning Security and Compliance roles in Microsoft 365, it's important to consider the jobs that your Security and Compliance admins will be performing. This is important because there are many different role groups that are available in the Security and Compliance Center and different roles are assigned to each role group. This produces a really granular permission structure. The table that you see on your screen shows the default role groups that are available in the Security and Compliance Center along with descriptions of what each role group does.
As you can see on your screen, the compliance administrator role group manages settings for device management, data loss prevention, reports, and preservation. While the compliance DATA administrator manages settings for device management, data protection, data loss prevention, reports, and preservation. Data investigators can perform searches on mailboxes, SharePoint Online sites, and on OneDrive for Business locations.
The eDiscovery manager can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. The eDiscovery manager can also create and manage eDiscovery cases. MailFlow administrators can monitor and view MailFlow insights and reports in the Security and Compliance Center. If the MailFlow administrator isn't also a member of the Exchange admin group however, the MailFlow administrator won't have access to Exchange admin related tasks. Members of the organization management role can control permissions for accessing features in the Security and Compliance Center. They can manage settings for device management, data loss prevention, reports, and preservation.
It's important to note that Office 365 global admins are automatically added to the organization management role group. Records management role group members can manage and dispose record content while reviewers can only view the list of cases on the eDiscovery cases page in the Security and Compliance Center. Reviewers cannot create, open, or manage eDiscovery cases.
The main purpose of a reviewer is essentially to allow members to view and access case data in Advanced eDiscovery. It's important to note that the reviewer has the most restrictive eDiscovery related permissions. Security administrators by default are not assigned any roles. They have the same read-only permissions as the security reader role, plus several other administrative permissions. Security operators can manage security alerts and view reports and settings of security features while security readers have read-only access to several security features of Identity Protection Center and Privileged Identity Management. Membership in this particular role is synchronized across services and it's managed centrally.
Service assurance users can access the service assurance section in the Office 365 Security and Compliance Center while supervisory review members can create and manage policies that define which communications are subject to review in an organization. So as you can probably tell by now, access in the Security and Compliance Center is pretty granular. As such, it's important to plan out which users will need to perform which tasks when planning out Security and Compliance roles for Microsoft 365.
About the Author
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.