AIP Roles and labeling.

Connor Johnston 96 Reputation points
2019-12-17T18:15:51.91+00:00

I'm trying to help my administrator give me proper roles for setting up labels and policies in Azure Information Protection. I had him assign me AIP administrator and Security administrator. Then in our microsoft security and compliance center, I had him add me to the Security administrators group. I could now get to the security and compliance center and make sensitivity labels there with no problem.

Now when I go back to AIP to create labels there, It gives me an insufficient roles error:alt text

Shouldn't I have these roles now? I know the help page says there's a difference between exchange and o365 roles, but I'm pretty sure I'm in o365.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
523 questions
0 comments No comments
{count} votes

Accepted answer
  1. Connor Johnston 96 Reputation points
    2019-12-19T15:31:09.78+00:00

    This one was easier. I didn't know that Azure could take up to 30 mins to fill out the back end.

    I was eventually able to make labels after that time period with no changes to my roles.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Branden_Naidoo 1 Reputation point
    2019-12-18T18:06:16.043+00:00

    RBAC for Azure should follow the below hierarchical level, probably need to be compliance administrator on O365

    "The inheritance order for scope is Management group, Subscription, Resource group, Resource. For example, if you assigned a Contributor role to a group at the Subscription scope level, it will be inherited by all Resource groups and Resources."

    a good starting point for him would be https://learn.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/

    hope this helps.

    0 comments No comments

  2. Lukas Beran 176 Reputation points
    2019-12-18T20:17:36.753+00:00

    Where do you want to create the labels? In Security & Compliance Center here https://protection.office.com/sensitivity?viewid=sensitivitylabels or in Azure portal here https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/globalBlade or ... ?

    For Security & Compliance Center, Seucirty admin role group should be enough.

    0 comments No comments