How to provision the accounts of administrators? For example, it will be possible to create “Helpdesk A” and “Helpdesk B” in Exchange Online to give support rights to two separate teams on a perimeter A and a perimeter B. Second level: Using the RBAC model to manage objectsĬertain services such as Exchange Online, Intune, Security and Compliance Centres or Cloud App Security offer specific RBAC rights models.Īs its name suggests, Role Based Access Control (RBAC), allows for the implementation of more refined permissions management with the ability to define roles for defined perimeters (e.g. The downside will be that it will be more complicated to audit the administration and that it will be necessary to monitor the evolution of services to ensure that permissions remain consistent with the needs of administrators. “microsoft.directory/applications/create” allows you to create applications in Azure Active Directory). In concrete terms, this means deciding what permissions this role has (e.g. In the case of advanced maturity, it is possible to go further in the segregation of rights by creating personalised Azure AD roles. for SharePoint Administrator, Exchange Administrator and User Administrator). However, the default roles provide access to the entire Admin Service for the entire tenant and may in some cases provide access to the underlying data (e.g. At the time of writing this article, Microsoft offers 59 different roles, which provides a good level of segregation of rights in most cases. An administrator would thus be equivalent to the owner of the service in question. Each service can be viewed as an Azure AD application. These service administration roles are also known as Azure AD roles. SharePoint Administrator, User Administrator, etc.). In addition, for almost all actions there is an equivalent service administration role (e.g. It is good practice to limit this general role to a maximum of 3-4 accounts. As far as possible, Global Admin’s rights should not be used in order to limit overexposure of the administration accounts. He can then appoint other administrators to accompany him in his tasks. The person behind the opening of the tenant automatically takes over the role of General Administrator. Level One: Using Azure AD roles to manage services
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |