Understanding Office 365 Security & Compliance Permissions
The Security & Compliance Center (SCC) is the heart of alerting and reporting within your O365 organization. Understanding its functionality and the various roles integrated within the suite of features is necessary for maximum impact to your organization. New features and functions are added to the SCC regularly, so staying informed through various whitepapers and release notes is important.
Equally important to know is Role Based Access Control (RBAC), which is how permissions are granted within the various facets of Office 365, including the SCC. Each systems administrator first assigns users to groups, then assigns permissions.
What are Permissions, Roles and Role Groups?
- A Permission is the ability to perform an action, such as view data, configure a setting or mitigate an alert.
- A Role is a collection of permissions. For example, the View-Only Audit Logs role is a series of permissions that create the ability to view, arrange and report on the Audit Logs that are generated within O365.
- A Role Group is a collection of roles that combine to create the equivalent of a typical AD Global Group, only within O365. The Security Reader role group would contain the Security Reader, View-Only DLP, View-Only Device Management, View Only IB and View-Only Manage Alerts roles.
How do I give users access to the O365 Security & Compliance Center?
In order to start handing out access, you’ll need to either be an O365 Global Admin or a member of the Organization Management role within the SCC.
Within the Microsoft 365 Admin Center, you’ll see a left-hand column item named Admin Centers. Once expanded, you will be able to access the Security & Compliance area, which will open in a new tab. Clicking any Role Group will bring up a new blade that lists the description, assigned roles and the current membership. Adding a user is as simple as editing the current members list and adding a new user.
Another way to give user access to the SCC is Powershell. In order to create a remote session to your SCC, you’ll enter your O365 credentials, provide the connection settings and import the proper cmdlets to your local session. If your organization uses multi-factor or federated authentication to connect to the SCC, you may need to download or use the Exchange Online Remote Powershell module.
What do these Role Groups do?
Once you’re ready to secure your O365 organization, you need to know what roles your users need. This is a common roadblock that many organizations come up against when first configuring the SCC. To help you better understand, we’ll review the role group’s basic descriptions:
- Reviewer:Members can only view the list of cases on the eDiscovery cases page in the SCC. The purpose of this role group is for members to access and view case data in Advanced eDiscovery. They are not able to create, open or manage an eDiscovery case.
- Records Management:Members of this management role group have permissions to manage and dispose record content.
- Organization Management:Members can control permissions for accessing features in the SCC and administer settings for device management, data loss prevention, reports and preservation.
- Security Administrator:Members of this role group may include cross-service administrators, as well as external partner groups and Microsoft Support. By default, this group may not be assigned any roles. However, it will be a member of the Security Administrators role in Azure Active Directory and will inherit the capabilities of that role.
- Security Operator:Members can manage security alerts and view reports and settings of security features.
- eDiscovery Manager:Members can perform searches and place holds on mailboxes, SharePoint Online sites and OneDrive for Business locations. They can create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Office 365 Advanced eDiscovery.
- Compliance Administrator:In this role, members handle settings for device management, data loss prevention, reports and preservation.
- Supervisory Review:Members can create and manage the policies that define which communications are subject to review in an organization.
- Service Assurance User:This kind of user has access to the Service Assurance section in the SCC. Members of this role group can use this section to review documents related to security, privacy, and compliance in Office 365 to perform risk and assurance reviews for their own organization.
- Security Reader:Members have read-only access to several security features of Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health and Office 365 SCC.
- MailFlow Administrator:Members can monitor and view mail flow insights and reports in the SCC. Global admins can add ordinary users to this group, but if the user isn’t a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.
- Data Investigator:This member performs searches on mailboxes, SharePoint Online sites and OneDrive for Business locations.
So which users get what access?
Since less is more, you should start with user permissions being more restrictive and build from there. It may be advisable to give users the view-only role groups until they become more familiar with the interface, at which point their permissions could be elevated to a standard role group.
As the role group’s permissions and included roles increase, the member count should decrease. Typically, an organization shouldn’t have as many Organization Management users as they have Security Readers. Certain roles such as Compliance Administrator may need to be a JIT role group (meaning only assigned as needed and only for a certain time period), as it contains several high-level roles such as Organization Management and Compliance Data Administrator.
At the “check” portion of your PDCA (plan-do-check-act) cycle, remember to schedule a review of current processes to ensure the procedures are moving smoothly. Speak with team members to ensure they have the correct level of access, use shadowing to ensure they are using the tools correctly and communicate when things change. The SCC is an ever-changing interface, so it pays to review the changes and upgrades that Microsoft rolls out on a regular basis.