Microsoft Purview – Managing Roles in Microsoft 365

Microsoft Purview – Managing Roles in Microsoft 365

Like Microsoft 365 Defender, Microsoft Purview can leverage both Azure AD global roles as well as more refined role groups specifically designed for Microsoft Purview. Some features (such as eDiscovery) can only be configured using the Purview-specific roles.

You can view the global Azure AD roles by navigating to the Microsoft Purview compliance center, expanding Roles & scopes, selecting Permissions, and then selecting Roles under Azure AD. See Figure 3.11:

Figure 3.11 – Viewing the Azure AD roles in the Microsoft 365 admin center

By comparison, the Microsoft Purview-specific roles are more detailed. They can be seen in the Microsoft Purview compliance center (https://compliance.microsoft.com) by expanding Roles & scopes, selecting Permissions, and then selecting Roles under Microsoft Purview solutions.See Figure 3.12:

Figure 3.12 – Microsoft Purview solutions roles

Like Microsoft 365 Defender, you can also create custom role groups for Microsoft Purview solutions. Microsoft Purview roles also support scoping with administrative units. Currently, the features described in Table 3.2 support administrative units:

Solution or featureConfiguration areas
Data lifecycle managementRetention policies, retention label policies, role groups
Data Loss Prevention (DLP)DLP policies, role groups
Communications complianceAdaptive scopes
Records managementRetention policies, retention label policies, adaptive scopes,
 role groups
Sensitivity labelsSensitivity label policies, auto-labeling policies, role groups

Table 3.2 – Microsoft Purview’s support for administrative units

Next, you’ll look at managing role groups for Microsoft 365  workloads.

Microsoft 365 Workloads

The core Microsoft 365 workloads, such as Exchange Online and SharePoint Online, have built-in support for a number of role groups.

Figure 3.13 – Microsoft 365 workload roles

In the case of Exchange Online, there are additional management roles that can be assigned within the Exchange admin center’s existing RBAC mechanisms. Exchange Online’s RBAC model predates the modern Microsoft 365 and Azure role assignments; Exchange Online’s roles provide extra security granularity.

While many workloads will have a single role group (such as Kaizala Administrator or SharePoint Administrator), some, such as Teams, have multiple role groups that can be used to further segmentor delegate administration. You can review the current list of roles available in the Microsoft 365 admin center by navigating to the admin center (https://admin.microsoft.com), expanding Roles, and then selecting Role assignments.

Managing Administrative Units

Administrative units are collections of users and devices that can be delegated to certain administrators. In on -premises Active Directory, you may choose to delegate control of administrative functions using the Delegation of Control wizard in Active Directory Users and Computers or the Active Directory Administration Center. Unlike on-premises Active Directory, Azure AD is not hierarchical. Delegation must be achieved by defining boundaries and then controlling which users or devices are placed inside the boundaries.

Administrative units can be role-scoped—that is to say, administrators can both be granted administrative roles (such as Helpdesk Administrator) as well as be limited to administrative tasks only for assigned administrative units.

Leave a Reply

Your email address will not be published. Required fields are marked *