Planning for role assignments– Planning and Managing Roles in Microsoft 365

16/04/202216/04/2022| Christine AlbertPlanning for role assignments– Planning and Managing Roles in Microsoft 365| 0 Comment| 3:36 am
Categories :

One of the core tenets of security is the use of a least-privilege model. Least privilege means delegating the minimum level of permissions to accomplish a particular task. In the context of Microsoft 365 and Azure AD, this translates to using the built-in roles for services, applications, and features where possible, instead of granting the Global Administrator role. Limiting the administrative scope for services based on roles is commonly referred to as role-based access control (RBAC).

In order to help organizations plan for a least-privileged deployment, Microsoft currently maintains this list of least-privileged roles necessary to accomplish certain tasks, grouped by application or content area: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task.

When planning role assignments in your organization, you can choose to assign roles directly to users or via a specially designated Azure AD group. If you want to use groups for role assignment, you must configure the isAssignableToRole property during the group creation. For example, in Figure 6.1, the Azure AD roles can be assigned to the group toggle needs to be set to Yes in order for the group to be provisioned with that capability. It cannot be configured afterward.

Figure 6.1 – Configuring the isAssignableToRole property on a new group

As you learned in Chapter 5, Azure AD groups configured to be role-eligible must have assigned membership. As soon as you move the slider to configure a role-assignable group, the ability to change the membership type is grayed out to prevent you from accidentally elevating a user to a privileged role.

Managing roles in the Microsoft 365 admin center

Roles can be easily managed within the Microsoft 365 admin center by expanding the navigation menu, expanding Roles, and then selecting Role assignments.

Figure 6.2 – Role assignments

Roles are displayed across four tabs, Azure AD, Exchange, Intune, and Billing, as shown in Figure 6.3:

Figure 6.3 – The Role assignments page

To add people to a role, simply select the role from the list, choose the Assigned tab, and then add either users or groups to the particular role.

Figure 6.4 – Making role assignments

Depending on the role being granted through this interface, you may be able to use Microsoft 365 groups, role-assignable security groups, or mail-enabled security groups.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Microsoft Authenticator app– Planning and Implementing Authentication

29/05/202329/05/2023 Christine AlbertMicrosoft Authenticator app– Planning and Implementing Authentication
Many administrators and users are already familiar with the Microsoft Authenticator mobile device app, using [...]
Read MoreRead More

Implementing access packages– Planning and Implementing Secure Access

05/06/202405/06/2024 Christine AlbertImplementing access packages– Planning and Implementing Secure Access
You can create access packages through the Identity Governance blade of the Azure portal. To [...]
Read MoreRead More

Working with access packages– Planning and Implementing Secure Access

15/04/202415/04/2024 Christine AlbertWorking with access packages– Planning and Implementing Secure Access
In this section, we’ll cover how to plan and implement an access package in Azure [...]
Read MoreRead More