Security and Compliance Roles in Office 365: Some Best Practices
When you deploy Office 365, you will eventually have to delve into the O365 Security and Compliance center (https://protection.office.com). There are a lot of very important features in the Security and Compliance center allow you to manage Alerts, review audit logs, configure DLP, and much more. When you first start working with the S&C center, most likely you will be logged in as the Global Admin, but this isn’t the best practice long term. Also, if you can delegate these tasks to the correct people then you won’t have to perform them every time.
So, how do we delegate those tasks? It’s via Role Groups in the Permissions section of the S&C center. Global Admins are automatically assigned the Organizational Management Role group which gives them the all-important role Role Management.
Tangent time…Microsoft has really messed up the naming of these things. Roles are specific permissions in the S&C center. Role Groups are when a bunch of Roles (actually permissions) are grouped together. For some reason, they didn’t just call them Permissions and Roles and make our lives easier. You can read all about this here
The marriage of Users and Roles (permissions) is the Role GroupSo, what Role Groups should you assign your users to? Here is the list of Role Groups and their descriptions:
|Role group||Description||Candidate user|
|Compliance Administrator||Members can manage settings for device management, data loss prevention, reports, and preservation.||Security Team Member|
|eDiscovery Manager||Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case.||eDiscovery Admins and Investigators|
|Organization Management||Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation.||Global Admin is this by default
Security and Compliance Team Leader and backup
|Reviewer||Members can only view the list of cases on the eDiscovery cases page in the Security & Compliance Center. They can’t create, open, or manage an eDiscovery case. The primary purpose of this role group is to allow members to view and access case data in Advanced eDiscovery.
This role group has the most restrictive eDiscovery-related permissions.
|eDiscovery Investigator that only needs limited rights|
|Security Administrator||Membership in this role group is synchronized across services and managed centrally. This role group is not manageable through the administrator portals. Members of this role group may include cross-service administrators, as well as external partner groups and Microsoft Support. By default, this group may not be assigned any roles. However, it will be a member of the Security Administrators role groups and will inherit the capabilities of that role group.|
|Security Reader||Members have read-only access to several security features of Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, and Office 365 Security & Compliance Center.||Security Team members that do not need to change any settings|
|Service Assurance User||Members can access the Service assurance section in the Office 365Security & Compliance Center. Service assurance provides reports and documents that describe Microsoft’s security practices for customer data that’s stored in Office 365.||Help Desk
Communications Team members
|Supervisory Review||Members can create and manage the policies that define which communications are subject to review in an organization.||Managers of Customer Contact Team Leads|
There…now you have everything that you need…right? Well, not really. That list of Role Groups provides a decent starting point, but it doesn’t answer all of the problems. For one…there are a few features that even if you activate them in the S&C Center, still won’t work. Audit Log Access is one of them. If you look at the top of the Permissions page you will see the following:
So, if we want a non-Global or Exchange Admin to see Audit Logs, then we have to go into the Exchange Admin Center and add them to a role that has those permissions…or create a custom role that does. If you go the existing role route, then add them to the Compliance Management role in Exchange.
Audit Logs, check…but a lot more. I can make an argument that a Security and Compliance Team member actually does need this level of permissions, but you can also just create a new role and only grant them Audit Logs and View-Only Audit Logs.
Back to the Security and Compliance Center…
You can make your own Role Groups, and honestly if you are thinking about changing any of the roles assigned to a role group…don’t. Instead copy the role group and change that. This will ensure that if Microsoft changes something in the future you won’t have inadvertently broken it.
NOTE: eDiscovery is a strange animal. Its Role Group has two sets of members. The eDiscovery Manager and the eDiscovery Admin. The Admin can see and manage all eDiscovery cases, while the Manager can only work on cases that they have been directly assigned. If you copy this group…it doesn’t have the two levels of members so something is special about this group specifically.
Customizing your own Role Groups might be just what you need to do, or you may just want to understand what the Roles (permissions) actually mean. Good luck with that. I cannot find an article that actually lists all of the roles and a good description of them. Here is the best that I can provide for you:
|Audit Logs||Lets people turn on and configure auditing for their Office 365 organization. This role also lets people view the organization’s audit reports, and then export these reports to a file.
NOTE: This doesn’t actually give them audit log access until you add them that role in Exchange. That will change in the future I suspect.
|Case Management||Lets people create, edit, delete, and control access to eDiscovery cases.|
|Compliance Administrator||Lets people view and edit settings and reports for compliance features.|
|Compliance Search||Lets people perform searches across mailboxes and get an estimate of the results.|
|Device Management||Lets people view and edit settings and reports for device management features.|
|Disposition Management||Control permissions for accessing Manual Disposition in the Security & Compliance Center.|
|DLP Compliance Management||Lets people view and edit settings and reports for data loss prevention (DLP) policies.|
|Export||Lets people export the mailbox and site content that was returned from a search.|
|Hold||Lets people place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content.|
|Manage Alerts||Lets people view and edit the settings and reports for alerts.|
|Organization Configuration||Lets people run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation.|
|Preview||Lets people view a list of items that were returned from a content search. They’ll also be able to open each item from the list to view its contents.|
|RecordManagement||Allow viewing and editing configuration and reports for the Record Management feature.|
|Retention Management||Lets people manage retention policies.|
|Review||Lets people use Office 365 Advanced eDiscovery to track, tag, analyze, and test documents that are assigned to them.|
|RMS Decrypt||Lets people decrypt RMS-protected content when exporting search results.|
|Role Management||Lets people manage role group membership and create or delete custom role groups.|
|Search And Purge||Lets people bulk-remove data that matches the criteria of a content search.|
|Security Administrator||Allows viewing and editing configuration and reports for Security features.|
|Security Reader||Allows viewing configuration and reports for Security features.|
|Service Assurance View||Lets people download the documents available on the Service Assurance section. Content includes independent auditing and compliance documentation and trust-related guidance for using Office 365 features to manage regulatory compliance and security risks.|
|Supervisory Review Administrator||Lets people manage supervisory review policies, including which communications to review and who should perform the review.|
|View-Only Audit Logs||Lets people view and export their organization’s audit reports. Because these reports might contain sensitive information, this role should only be assigned to those with an explicit need to view this information.|
|View-Only Device Management||Allow viewing configuration and reports for the Device Management feature.|
|View-Only DLP Compliance Management||Lets people view the settings and reports for data loss prevention (DLP) policies.|
|View-Only Manage Alerts||Allow viewing configuration and reports for the Manage Alerts feature.|
|View-Only Recipients||Lets people view information about users and groups.|
|View-Only Record Management||Allow viewing configuration and reports for the Record Management feature.|
|View-Only Retention Management||Allow viewing configuration and reports for the Retention Management feature.|
Some of these descriptions aren’t very explanatory, but that is what Microsoft is giving us today. Hopefully more will come soon.