Manages Azure Active Directory conditional access settings, but not Exchange ActiveSync conditional access policy. Keeps track of data, makes sure it's protected, gets insights into issues, and helps mitigate risk. Manages regulatory requirements and eDiscovery cases, maintains data governance for locations, identities, and apps. No application proxies.Įnables, disables, and deletes devices and can read Windows 10 BitLocker keys. Makes purchases, manages subscriptions, manages service requests, and monitors service health.įull access to enterprise applications and application registrations. Manages labels for the Azure Information Protection policy, manages protection templates and activates protection. The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader:įull access to enterprise applications, application registrations, and application proxy settings.Ĭreate application registrations and consent to app access on their behalf.Ĭan require users to re-register authentication for non-password credentials, like MFA. Manage all org-wide settings, including federation, teams upgrade, and teams client settingsĪssign the User admin role to users who need to do the following for all users: Manage site collections and global SharePoint settingsĪssign the Teams admin role to users who need to access and manage the Teams admin center. Manage the What’s New content that users see in their Office appsĪssign the Service admin role as an additional role to admins or users whose role doesn't include the following, but still need to do the following:Īssign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. Use the Office cloud policy service to create and manage cloud-based policies for Office Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.Īssign the Office Apps admin role to users who need to do the following: Create, edit, delete, and restore Azure Active Directory security, groupsĪssign the Helpdesk admin role to users who need to do the following: Create and update group creation, expiration, and naming policies Create, edit, delete, and restore Office 365 Groups The global reader admin can't edit any settings.Īssign the group admin role to users who need to manage all group settings across admin centers, including the Microsoft 365 Admin Center and Azure Active Directory portal. Note: The person who signed up for Microsoft online services automatically becomes a Global admin.Īssign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. Set up "Send As" and "Send on behalf" delegatesĪssign the Global admin role to users who need global access to most management features and data across Microsoft online services. Recover deleted items in a user's mailbox When you turn on MFA, the next time the user signs in, they'll need to provide an alternate email address and phone number for account recovery.Īssign the Exchange admin role to users who need to view and manage your user's email mailboxes, Office 365 groups, and Exchange Online. Admins can have access to a lot of customer and employee data and if you require MFA, even if the admin's password gets compromised, the password is useless without the second form of identification. MFA makes users enter a second method of identification to verify they are who they say they are. It's a good idea to require MFA for all of your users, but admins should be required to use MFA to sign in. Require multi-factor authentication for admins For example, if you want someone to reset employee passwords you shouldn't assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. But the global admin has almost unlimited access to your org's settings and most of the data, so we also recommend that you don't have more than 4 global admins because that's a security threat.Īssigning the least permissive role means giving admins only the access they need to get the job done. Because only another global admin can reset a global admin's password, we recommend that you have at least 2 global admins in your organization in case of account lockout.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |