{"id":5503,"date":"2024-04-30T07:58:12","date_gmt":"2024-04-30T05:58:12","guid":{"rendered":"https:\/\/www.msb365.blog\/?p=5503"},"modified":"2024-04-30T07:58:12","modified_gmt":"2024-04-30T05:58:12","slug":"microsoft-365-entra-id-administrative-units-authorization-concept-part-2","status":"publish","type":"post","link":"https:\/\/www.msb365.blog\/?p=5503","title":{"rendered":"Recommendation &#8211; Microsoft 365 authorization concepts &#8211; Part 2"},"content":{"rendered":"<p>This article is a continuation &#8211; i.e. Part 2 &#8211; of the article <strong><a href=\"https:\/\/www.msb365.blog\/?p=5495\" target=\"_blank\" rel=\"noopener\">Recommendation &#8211; Microsoft 365 authorization concepts &#8211; Part 1<\/a><\/strong>.<br \/>\nIn this article, the following topics are now dealt with to complete the start for understanding an authorization concept:<\/p>\n<ul>\n<li>Configuration of Exchange online RBAC at Administrative Units level<\/li>\n<li>Configuration of automatic users, guests and devices to the correct administrative units<\/li>\n<li>Completion of the authorization matrix &#8211; Recommended Microsoft certifications for the respective roles in the matrix<\/li>\n<\/ul>\n<p>A <span style=\"color: #ff0000;\"><strong>disclaimer<\/strong><\/span> at this point before we continue with the technical part of this article.<br \/>\nThe information from the first and second part of this short series is primarily intended as an application example. In addition, the aim is to use the tools provided by Microsoft in such a way that an optimal and granular authorization can be defined and built across an environment.<br \/>\nParticularly with regard to the authorization matrix and the certification matrix, there may be deviations depending on the company. Take these two articles as food for thought and modify and\/or extend them to suit your company.<\/p>\n<p>&nbsp;<\/p>\n<h3>Configuration of Exchange online RBAC at Administrative Units level<\/h3>\n<p>To create a custom EXO role and then apply it to an AU, the following steps are required:<\/p>\n<ul>\n<li>For the creation: Global Administrator authorisation on the corresponding account<\/li>\n<li>Entra ID Premium subscription (for Administrative Units)<\/li>\n<li>MS Graph PowerShell Module (Attention the Azure AD PowerShell Module may no longer work depending on when this article is read)<\/li>\n<li>Exchange Online PowerShell Module<\/li>\n<\/ul>\n<pre><span style=\"color: #339966;\"># Connect to MS Graph with PowerShell and the required permissions<\/span>\r\nConnect-MgGraph -Scopes \"Directory.Read.All\"<\/pre>\n<pre><span style=\"color: #339966;\"># Show all available Administrative Units<\/span>\r\nGet-MgDirectoryAdministrativeUnit<\/pre>\n<pre><span style=\"color: #339966;\"># Get the Administrative Unit<\/span>\r\n$au = Get-MgDirectoryAdministrativeUnit -Filter \"DisplayName eq 'Your Administrative Unit Name'\"<\/pre>\n<pre><span style=\"color: #339966;\"># Connect to Exchange Online PowerShell:<\/span>\r\nConnect-ExchangeOnline<\/pre>\n<p>&nbsp;<\/p>\n<p>## Assign the RBAC Role<\/p>\n<pre><span style=\"color: #339966;\"># Create a new management scope for the Administrative Unit<\/span>\r\nNew-ManagementScope -Name \"Your Scope Name\" -RecipientRestrictionFilter \"MemberOfGroup -eq '$($au.Id)'\"<\/pre>\n<pre><span style=\"color: #339966;\"># Create a new role assignment policy and assign it to the management scope<\/span>\r\nNew-RoleAssignmentPolicy -Name \"Your Policy Name\" -AssignedRoles \"Your Role Name\" -CustomRecipientWriteScope \"Your Scope Name\"<\/pre>\n<p>Please replace<strong> &#8216;Your Administrative Unit Name&#8217;<\/strong>, <strong>&#8216;Your Scope Name&#8217;<\/strong>, <strong>&#8216;Your Policy Name&#8217;<\/strong>, and <strong>&#8216;Your Role Name&#8217;<\/strong> with the actual name of your Administrative Unit, the name you want to give to the management scope, the name you want to give to the role assignment policy, and the name of the role you want to assign, respectively.<\/p>\n<p>&nbsp;<\/p>\n<h3>Configuration of automatic users, guests and devices to the correct administrative units<\/h3>\n<p>Once the concept of the administrative units has been created, they can now be created. There are several ways to create them: On the one hand via the Azure Admin Portal or via PowerShell.<br \/>\nThe PowerShell variant requires the MS Graph PowerShell module.<br \/>\nBelow is a configuration example:<\/p>\n<pre><span style=\"color: #339966;\"># Connect via MS Graph PowerShell<\/span>\r\nConnect-MgGraph -Scopes \"Directory.ReadWrite.All\", \"User.ReadWrite.All\"<\/pre>\n<pre><span style=\"color: #339966;\"># Create the Administrative Unit<\/span>\r\nNew-MgDirectoryAdministrativeUnit -DisplayName \"Your Administrative Unit Name\" -Description \"Your Administrative Unit Description\"<\/pre>\n<pre><span style=\"color: #339966;\"># Get the Administrative Unit<\/span>\r\n$au = Get-MgDirectoryAdministrativeUnit -Filter \"DisplayName eq 'Your Administrative Unit Name'\"<\/pre>\n<pre><span style=\"color: #339966;\">#Create a Dynamic Group<\/span>\r\n$group = New-MgGroup -DisplayName \"Your Dynamic Group Name\" -Description \"Your Dynamic Group Description\" -MailEnabled $false -SecurityEnabled $true -MailNickname \"YourDynamicGroup\" -GroupTypes \"DynamicMembership\" -MembershipRule \"(user.department -eq 'Your Department Name')\" -MembershipRuleProcessingState \"On\"<\/pre>\n<pre><span style=\"color: #339966;\"># Assign the Dynamic Group to the Administrative Unit<\/span>\r\nAdd-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $au.Id -DirectoryObjectId $group.Id<\/pre>\n<p>In this example, a dynamic group has now also been created and assigned to the Administrative Unit. However, regardless of whether an Administrative Unit was created in the Azure Admin Centre or via PowerShell, it is recommended not to assign dynamic groups to an AU.<br \/>\nFrom my personal experience, it is better to work with expressions under &#8220;<strong><em>Dynamic membership rules<\/em><\/strong>&#8220;. Here are some examples:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"301\"><strong>AU Function<\/strong><\/td>\n<td width=\"301\"><strong>Expression example<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"301\">AU for all users and Guests located in Switzerland<\/td>\n<td width=\"301\">(user.country -eq &#8220;Switzerland&#8221;) or ((user.userType -eq &#8220;Guest&#8221;) and (user.department -eq &#8220;Switzerland&#8221;))<\/td>\n<\/tr>\n<tr>\n<td width=\"301\">AU for all Devices located in Switzerland<\/td>\n<td width=\"301\">(device.deviceCategory -eq &#8220;Switzerland&#8221;)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Such expressions must of course be maintained in the Entra ID (for devices in my example in Microsoft Intune). Of course, other expressions can also be used. For example: <strong><em>user.extensionAttribute<span style=\"color: #339966;\">XX<\/span><\/em><\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<h3>Addition to the authorization matrix &#8211; Recommended Microsoft certifications for the respective roles in the matrix<\/h3>\n<p>The following table with the training and certification options should of course be treated with caution. A lead time must be defined for the introduction in particular so that the relevant administrators can undergo further training.<\/p>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"86\"><strong>Role<\/strong><\/td>\n<td width=\"86\"><strong>Certification 1<\/strong><\/td>\n<td width=\"86\"><strong>Cert Link 1<\/strong><\/td>\n<td width=\"86\"><strong>Optional Certification<\/strong><\/td>\n<td width=\"86\"><strong>Cert Link 2<\/strong><\/td>\n<td width=\"86\"><strong>Optional Certification 2<\/strong><\/td>\n<td width=\"86\"><strong>Cert Link 3<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Authentication Administrator<\/strong><\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/<\/a><\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Cloud Device Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Endpoint Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-endpoint-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-endpoint-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Helpdesk Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>License Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>SharePoint Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Teamwork Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-teamwork-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-teamwork-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Security, Compliance, and Identity Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/security-compliance-and-identity-fundamentals\/\">Microsoft Certified: Security, Compliance, and Identity Fundamentals &#8211; Certifications | Microsoft Learn<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Teams Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Teams Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-teams-administrator-associate\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-teams-administrator-associate\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Collaboration Communications Systems Engineer Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-collaboration-communications-systems-engineer\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-collaboration-communications-systems-engineer\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Teams Devices Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Teams Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-teams-administrator-associate\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-teams-administrator-associate\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>User Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Compliance Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Information Protection and Compliance Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/information-protection-and-compliance-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/information-protection-and-compliance-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Billing Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Security Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Security Operations Analyst Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/security-operations-analyst\/?wt.mc_id=certsustainedmkt_portfolioupdate_blog_wwl\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/security-operations-analyst\/?wt.mc_id=certsustainedmkt_portfolioupdate_blog_wwl<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Information Protection and Compliance Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/information-protection-and-compliance-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/information-protection-and-compliance-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-gb\/credentials\/certifications\/identity-and-access-administrator\/?wt.mc_id=certsustainedmkt_portfolioupdate_blog_wwl\">https:\/\/learn.microsoft.com\/en-gb\/credentials\/certifications\/identity-and-access-administrator\/?wt.mc_id=certsustainedmkt_portfolioupdate_blog_wwl<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Conditional Access Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Message Center Reader<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Knowledge Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Directory Readers<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Report Readers<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Application Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/microsoft-365-fundamentals\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Global Reader<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Priviliged Role Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Identity and Access Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/\">https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/identity-and-access-administrator\/<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft Certified: Security, Compliance, and Identity Fundamentals<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/security-compliance-and-identity-fundamentals\/\">Microsoft Certified: Security, Compliance, and Identity Fundamentals &#8211; Certifications | Microsoft Learn<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Global Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Information Protection and Compliance Administrator Associate<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/information-protection-and-compliance-administrator\/\" target=\"_blank\" rel=\"noopener\"><u>https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/information-protection-and-compliance-administrator\/<\/u><\/a><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"86\"><strong>Global Administrator<\/strong><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">Microsoft 365 Certified: Administrator Expert<\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\"><u><a href=\"https:\/\/learn.microsoft.com\/en-us\/credentials\/certifications\/m365-administrator-expert\/\">Microsoft 365 Certified: Administrator Expert &#8211; Certifications | Microsoft Learn<\/a><\/u><\/p>\n<p>&nbsp;<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<td width=\"86\">n\/a<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3>Conclusion<\/h3>\n<p>Here is a brief summary of the two articles on this topic. As already mentioned several times, both articles are application examples or basic information intended to improve understanding of how an authorization concept can be set up and configured.<br \/>\nIn my view, it is essential to know <strong>a)<\/strong> that the various tools exist and <strong>b)<\/strong> how they should be used, especially when it comes to the various tools such as the focus topic of administrative units.<\/p>\n<p>I have not gone into topics such as data classification and DLP in any more depth, as this would otherwise have become too long a series. Following on from this chapter, I have linked to another article on <strong>sensitivity labelling<\/strong>. This can also serve as supplementary knowledge.<\/p>\n<p>My aim with these two articles was to give you an understanding of the tools described and to provide a rough guideline for this type of conceptualisation.<\/p>\n<p>I hope I have succeeded in this.<\/p>\n<p>Thank you for visiting my blog&#8230; &lt;3<\/p>\n<div class=\"vlp-link-container vlp-layout-basic\"><a href=\"https:\/\/www.msb365.blog\/?p=4422\" class=\"vlp-link\" title=\"Sensitivity Labeling with Microsoft\"><\/a><div class=\"vlp-layout-zone-side\"><div class=\"vlp-block-2 vlp-link-image\"><img decoding=\"async\" style=\"max-width: 150px;\" width=\"150\" height=\"100\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo.png\" class=\"attachment-150x999 size-150x999\" alt=\"\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo.png 1800w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-300x200.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-1024x683.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-768x512.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-600x400.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-1536x1025.png 1536w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-1600x1068.png 1600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-905x604.png 905w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2021\/01\/Logo-1320x881.png 1320w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/><\/div><\/div><div class=\"vlp-layout-zone-main\"><div class=\"vlp-block-0 vlp-link-title\">Sensitivity Labeling with Microsoft<\/div><div class=\"vlp-block-1 vlp-link-summary\">For almost a year now, we have had to deal with the COVID-19 pandemic. Many of us can work from home, but unfortunately not all. From a CISO&#8217;s point of view, one of the challenges is to ensure that internal company documents remain internal and are not duplicated without permission. Microsoft offers &#8220;Sensitivity Labels&#8221; for this purpose. These are individually configurable on various levels. On the one hand, you can define what they should be called, but also what should happen when a document is labeled and who is entitled to a label. In this article I will briefly explain [&hellip;]<\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>This article is a continuation &#8211; i.e. Part 2 &#8211; of the article Recommendation &#8211; Microsoft 365 authorization concepts &#8211; Part 1. In this article, the following topics are now dealt with to complete the start for understanding an authorization concept: Configuration of Exchange online RBAC at Administrative Units level Configuration of automatic users, guests [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5527,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[685,12,1923,2],"tags":[],"class_list":["post-5503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-azure","category-microsoft-365","category-exchange"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/5503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5503"}],"version-history":[{"count":8,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/5503\/revisions"}],"predecessor-version":[{"id":5539,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/5503\/revisions\/5539"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/media\/5527"}],"wp:attachment":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}