Microsoft 365 administrators have various roles and tasks that they need to manage to ensure that the organization runs smoothly.
\nAuthorization concepts that are familiar from the on-premise world cannot be replicated 1:1 in the Microsoft Cloud. In order to ensure data security, several steps need to be implemented.
\nThese are as follows:<\/p>\n
<\/p>\n
With the Privileged Identity Management (PIM) function, Microsoft 365 offers the option of assigning predefined administrator rights to time-limited and only explicitly authorized persons.
\nIn order for such roles to be assigned to the corresponding users, these users must fulfil corresponding requirements. These include a multifactor authentication (MFA) obligation, authorization for the corresponding PIM role, etc.
\nUsers who have PIM authorization should only be able to request this for higher-level, non-daily work. The aim is for the individual departments to be self-managed or managed by so-called delegates.<\/p>\n
<\/p>\n
From a technical perspective, each department of a company is assigned to so-called administrative units (AU). This action can be used to define users who explicitly have administrative authorizations for this dedicated AU only. As certain areas are not only managed by the corresponding AU, users of the Delegated Administrators can also be assigned to several AUs.
\nAuthorizations for the respective AUs can be assigned and removed in several ways. The following options are currently available:<\/p>\n
<\/p>\n
AUs also support the following compliance solutions:<\/p>\n
<\/p>\n
Whenever possible, new SharePoint online (SPO) sites should be created by Microsoft Teams. This has several advantages, such as the optional availability of the SPO site in Microsoft Teams. Furthermore, you can decide what kind of site (In Teams: Team) should be created.<\/p>\n
The following options are available:<\/p>\n
*1)<\/strong><\/span> In order for shared channels to be used, a two-sided trust position is required for each customer\/partner, which is configured by Azure B2B.<\/p>\n <\/p>\n Labelling is basically used to ensure that confidential documents are not leaked. This can be defined internally and externally, but also at departmental level (e.g. finance, HR, management, police, etc.). There are various application options for labels, which allow customers to design and use them individually. <\/p>\n When implementing AUs, dedicated custom DLPs can be created which are focussed on the respective AU and its users. <\/p>\n In the authorization concept for the Canton of Aargau, only the role of Global Administrator (GA) is to be provided via PIM. A group of administrators is defined by the customer, who can apply for the corresponding GA role. PIM also offers other administrator roles, but we recommend that these are not managed via PIM but via the AUs. The length of GA access via PIM should be limited to a maximum of 4 hours so that administrators do not work with the highest authorization level for longer than necessary.<\/p>\n <\/p>\n The authorization concept described is aimed at Entra ID and Microsoft 365 apps and services. Here too, the authorization can be defined and assigned using several levels.<\/p>\n <\/p>\n A dedicated authorization matrix makes sense, especially in connection with administrative units. Dedicated support teams can be set up depending on the area (country location, department, division, etc.). These units can then be divided more granularly and the corresponding authorizations controlled. It is recommended that there is a superordinate IT department that is responsible for the management and administration of the respective administrative units.<\/p>\n Authentication Admin (AU Level)<\/p>\n Cloud Device Admin (AU Level)<\/p>\n User Admin (AU Level)<\/p>\n Guest Inviter<\/td>\n Mail-Forwarding (Custom RBAC Role)<\/td>\n Teams Administrator (AU Level)<\/p>\n Teams Device Administrator (AU Level)<\/td>\n <\/p>\n Authentication Admin<\/p>\n Cloud Device Admin<\/p>\n User Admin<\/p>\n Guest Inviter Knowledge Admin<\/p>\n Directory Readers<\/p>\n Report Readers<\/p>\n Application Admin<\/p>\n Groups Admin<\/p>\n License Admin<\/td>\n Seurity Operator<\/td>\n Power Platform Administrator<\/td>\n Teams Device Administrator<\/p>\n Teams Administrator<\/td>\n User Administrator<\/p>\n Global Reader<\/td>\n License Administrator<\/p>\n Authentication Administrator<\/td>\n Power Platform Administrator<\/td>\n Privileged Role Administrator<\/p>\n Global Reader<\/p>\n Conditional Access Administrator<\/p>\n Cloud Application Administrator<\/p>\n Identity Governance Administrator<\/td>\n Insider Risk Management Administrator<\/td>\n Identity Governance Administrator<\/td>\n Customer Lockbox Access Approver<\/td>\n Billing Administrator<\/p>\n Guest Inviter<\/td>\n <\/p>\n This matrix is intended as an illustrative example<\/strong>; it can of course be adapted and\/or expanded depending on the requirements of your own company.<\/p>\n <\/p>\n Microsoft 365 administrators have various roles and tasks that they need to manage to ensure that the organization runs smoothly. Authorization concepts that are familiar from the on-premise world cannot be replicated 1:1 in the Microsoft Cloud. In order to ensure data security, several steps need to be implemented. These are as follows: PIM: […]<\/p>\n","protected":false},"author":1,"featured_media":5527,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[685,12,1923],"tags":[],"class_list":["post-5495","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-azure","category-microsoft-365"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/5495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5495"}],"version-history":[{"count":12,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/5495\/revisions"}],"predecessor-version":[{"id":5542,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/5495\/revisions\/5542"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/media\/5527"}],"wp:attachment":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Data Classification<\/h3>\n
\nAs a further example, labels can also be used to ensure that documents classified with the “Internal” label in this example cannot be sent by e-mail to external recipients.<\/p>\nDLP<\/h3>\n
\nThese DLP policies can be created and applied separately for each AU or individually.<\/p>\nPIM roles<\/h3>\n
\nThis ensures that administrators cannot assign roles to each other for no reason.<\/p>\nAzure Subscriptions<\/h3>\n
\nAzure services such as Azure Speech services or storage accounts are not managed by Microsoft 365. These are Azure services.
\nAzure Services can be managed in the following two ways:<\/p>\n\n
Authorization matrix as a basis for decision-making<\/h3>\n
\n\n
\n Location<\/strong><\/td>\n Role<\/strong><\/td>\n Entra ID<\/strong><\/td>\n Purview<\/strong><\/td>\n Defender<\/strong><\/td>\n EXO<\/strong><\/td>\n SPO<\/strong><\/td>\n Power Platform<\/strong><\/td>\n Teams<\/strong><\/td>\n M365 Apps<\/strong><\/td>\n Intune<\/strong><\/td>\n Viva<\/strong><\/td>\n PIM (Global Admin)<\/strong><\/td>\n<\/tr>\n \n Department<\/strong><\/td>\n Default End User<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n Environment Maker<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Department<\/strong><\/td>\n Power User<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n Environment Maker<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Department<\/strong><\/td>\n Guest User<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Department<\/strong><\/td>\n 1st<\/sup> Level Support<\/td>\n Message Center Reader<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n Environment Maker<\/td>\n N\/V<\/td>\n <\/td>\n Read only Operator<\/td>\n <\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Department<\/strong><\/td>\n 2nd<\/sup> Level Support<\/td>\n Message Center Reader<\/p>\n N\/V<\/td>\n N\/V<\/td>\n View-Only MGMT<\/p>\n N\/V<\/td>\n Environment Admin<\/td>\n Teams Communication Support Specialist<\/p>\n Company-specific authorization definition<\/span><\/td>\n Read Only Operator<\/td>\n Company-specific authorization definition<\/span><\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Department<\/strong><\/td>\n Application Manager<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n <\/td>\n N\/V<\/td>\n <\/td>\n NO<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\n\n
\n Location<\/strong><\/td>\n Role<\/strong><\/td>\n Entra ID<\/strong><\/td>\n Purview<\/strong><\/td>\n Defender<\/strong><\/td>\n EXO<\/strong><\/td>\n SPO<\/strong><\/td>\n Power Platform<\/strong><\/td>\n Teams<\/strong><\/td>\n M365 Apps<\/strong><\/td>\n Intune<\/strong><\/td>\n Viva<\/strong><\/td>\n PIM (Global Admins)<\/strong><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n 3rd<\/sup> Level Support<\/td>\n Message Center Reader<\/p>\n
\nHelpdesk Admin<\/p>\nN\/V<\/td>\n Quarantine Admin<\/p>\n Exchange Administrator<\/td>\n SharePoint Administrator<\/td>\n Environment Admin<\/p>\n Teams Communication Support Engineer<\/p>\n Company-specific authorization definition<\/span><\/td>\n Intune Administrator<\/td>\n Company-specific authorization definition<\/span><\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n Lead Engineer<\/td>\n 3rd<\/sup> Level Supporter +<\/span><\/strong><\/p>\n Compliance Administrator<\/td>\n Security Operator<\/td>\n Exchange Administrator<\/td>\n SharePoint Administrator<\/td>\n Power Platform Administrator<\/td>\n Teams Administrator<\/td>\n Company-specific authorization definition<\/span><\/td>\n Intune Administrator<\/td>\n Company-specific authorization definition<\/span><\/td>\n YES<\/span><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n Architect<\/td>\n Message Center Reader<\/p>\n N\/V<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/p>\n Security Reader<\/td>\n Company-specific authorization definition<\/span><\/td>\n Intune Administrator<\/td>\n Company-specific authorization definition<\/span><\/td>\n YES<\/span><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n CSO<\/td>\n N\/V<\/td>\n N\/V<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n <\/td>\n Security Reader<\/td>\n <\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n Security<\/td>\n Authentication Administrator<\/p>\n N\/V<\/td>\n Security Administrator<\/td>\n Security Administrator<\/td>\n Security Administrator<\/td>\n Security Administrator<\/td>\n Security Administrator<\/td>\n Company-specific authorization definition<\/span><\/td>\n Intune Administrator<\/td>\n Company-specific authorization definition<\/span><\/td>\n YES<\/span><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n Risk<\/td>\n Global Reader<\/td>\n Compliance Administrator<\/p>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Company-specific authorization definition<\/span><\/td>\n Security Reader<\/td>\n Company-specific authorization definition<\/span><\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n Legal<\/td>\n Global Reader<\/td>\n Insights Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Company-specific authorization definition<\/span><\/td>\n N\/V<\/td>\n Company-specific authorization definition<\/span><\/td>\n NO<\/span><\/td>\n<\/tr>\n \n Superior<\/strong> IT<\/strong><\/td>\n Compliance<\/td>\n Global Reader<\/p>\n Compliance Administrator<\/p>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Security Reader<\/td>\n Company-specific authorization definition<\/span><\/td>\n N\/V<\/td>\n Company-specific authorization definition<\/span><\/td>\n YES (After approval)<\/span><\/td>\n<\/tr>\n \n Superior IT<\/strong><\/td>\n Licence Management<\/td>\n Licence Administrator<\/p>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n N\/V<\/td>\n Company-specific authorization definition<\/span><\/td>\n N\/V<\/td>\n Company-specific authorization definition<\/span><\/td>\n NO<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Supplements<\/h3>\n
\n
\nThe power user also has the authorisation to install something on their device, whereas the default<\/em> user<\/em> does not have this option.<\/li>\n<\/ul>\n\n