Explore the Microsoft 365 permission model
- 3 minutes
Organizations must manage security scenarios that span every Microsoft 365 service. As such, they need the flexibility to give the right administrator permission to the right people in their organization. The Microsoft 365 admin center, Microsoft Defender portal, and the Microsoft Purview compliance portal support directly managing permissions for users who perform security and compliance tasks in Microsoft 365. By using these portals to manage permissions, you can manage permissions centrally for all tasks related to security and compliance. The following sections provide a brief summary of each of these portals. The unit then examines how roles and role groups enable you to manage permissions in each portal.
Microsoft 365 admin center
The Microsoft 365 admin center provides robust capabilities for managing permissions within an organization's Microsoft 365 environment. It supports permission management through various features, including:
- User and group management. The admin center allows administrators to create and manage user accounts and groups. Administrators can assign roles and permissions to individual users or groups, granting them access to specific Microsoft 365 services and resources.
- Azure role-based access control (RBAC). The admin center implements Azure RBAC, which enables administrators to assign predefined roles with specific permissions to users. These roles include Global administrator, User management administrator, Exchange administrator, SharePoint administrator, and more. Administrators can assign appropriate roles that control access and limit permissions based on job responsibilities.
- Service-specific permission management. Within the Microsoft 365 admin center, administrators can manage permissions for various Microsoft 365 services, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. They can grant or restrict access to specific features and functions within these services, allowing fine-grained control over user capabilities.
- Application and app permissions. Administrators can manage permissions for applications and app integrations within the admin center. This process includes granting consent to third-party apps to access Microsoft 365 data on behalf of users. It also includes managing app permissions and controlling access to organizational data by external applications.
The Microsoft 365 admin center provides a comprehensive set of tools and features to directly manage permissions within the organization's Microsoft 365 environment. It enables administrators to assign roles, configure service-specific permissions, and ensure efficient and secure access control across the Microsoft 365 ecosystem.
Microsoft Defender portal
The Microsoft Defender portal is a centralized management console that provides security teams with a comprehensive view of their organization's security posture and helps them protect their digital assets. Microsoft designed the portal for threat protection, detection, investigation, and response across various Microsoft 365 services.
Some key functionalities of the Microsoft Defender portal include:
- Threat investigation. The Microsoft Defender portal allows security analysts to investigate and respond to security threats across Microsoft 365 services. For example, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and more. It provides a unified view of security alerts and helps identify potential threats.
- Incident management. Administrators can use the Microsoft Defender portal to track, manage, and collaborate upon security incidents within the portal. It enables security teams to triage, assign ownership, and track the progress of incidents, ensuring timely resolution.
- Advanced hunting. The Microsoft Defender portal provides access to powerful query-based hunting capabilities. Security analysts can use the Microsoft Defender XDR Advanced Hunting language (Kusto Query Language) to search for specific indicators of compromise (IOCs) or investigate potential threats proactively.
- Threat analytics. The Microsoft Defender portal offers security reports and insights, using advanced analytics and machine learning. This functionality helps organizations understand their security posture, identify trends, and prioritize actions. Organizations can use these insights to strengthen security policies and implement proactive measures.
- Integration with Microsoft 365 services. The Microsoft Defender portal integrates with other Microsoft security services, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Cloud App Security. This integration provides a holistic view of security across the organization.
The Microsoft Defender portal serves as a central hub for security operations in Microsoft 365. it enables security teams to effectively detect, investigate, and respond to threats while enhancing the overall security posture of the organization.
Microsoft Purview compliance portal
The Microsoft Purview compliance porta is a centralized hub within Microsoft 365 that helps organizations meet their regulatory and compliance requirements. It provides a range of tools, features, and resources to manage compliance-related tasks, assess risk, and protect sensitive data.
Some key functionalities of the Microsoft Purview compliance portal include:
- Compliance management. The Microsoft Purview compliance portal allows organizations to define and manage compliance policies based on industry regulations and internal requirements. It provides a framework to track and monitor compliance activities across Microsoft 365 services, such as Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and more.
- Data protection. The Microsoft Purview compliance portal offers features to help protect sensitive data and ensure compliance with privacy regulations. These features include data loss prevention (DLP) policies, information barriers, sensitivity labels, and advanced data governance capabilities.
- Risk assessment and insights. The Microsoft Purview compliance portal provides tools to assess and mitigate risks associated with data and compliance. It offers features like Compliance Score, which assesses an organization's compliance posture and provides recommendations for improvement. It also includes advanced analytics and insights to identify data risks and trends.
- E-discovery and legal hold. The Microsoft Purview compliance portal facilitates the discovery and preservation of electronically stored information (ESI) for legal and regulatory purposes. It provides capabilities for searching, identifying, and exporting relevant data across Microsoft 365 services, ensuring organizations can respond to legal requests and litigation requirements.
- Compliance reporting and auditing. The Microsoft Purview compliance portal offers reporting capabilities to monitor and audit compliance activities within the organization. The portal provides predefined compliance reports, plus the ability to create custom reports, helping organizations demonstrate adherence to regulatory requirements.
- Collaboration and training. The Microsoft Purview compliance portal provides collaboration features to enable cross-functional teams to work together on compliance-related tasks. It also offers training resources and best practices to help organizations educate their employees on compliance requirements and promote a culture of compliance.
The Microsoft Purview compliance portal helps organizations manage their compliance obligations, protect sensitive data, and mitigate risks within their Microsoft 365 environment. Microsoft designed the portal to help simplify compliance management, streamline processes, and provide the necessary tools to meet regulatory requirements.
Administrator roles
Organizations use administrator roles in Microsoft Entra ID to manage all products in Microsoft 365.
Important
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Microsoft 365 uses a permission model referred to as Azure Role-Based Access Control (RBAC). The Azure RBAC model makes it easy to assign permissions to a user. In Microsoft 365, an administrator can assign each user a role that has predefined permissions assigned to it. So instead of assigning multiple permissions to a user, you assign them a role that has those permissions defined. This model makes permission management much more efficient and effective.
Microsoft 365 provides several predefined administrator roles, which provide permissions to do administrative tasks. As such, a Microsoft 365 administrator must carefully plan which users to assign to each role. It's important that you ensure those people are responsible and trustworthy. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the Microsoft 365 admin center.
To manage permissions, you must either be a Global administrator or a member of the Organization Management role group. Specifically, the Role Management role allows users to view, create, and modify role groups in the Microsoft Defender portal. By default, the system assigns the Role Management role to the Organization Management role group.
Other online services have their own permission models. For example, Exchange Online uses a model similar to Azure RBAC to define administrator roles. However, it also uses a security model based on individual permissions for its mailboxes. SharePoint Online has its own security permission model based on security groups, permissions, and permission levels. This model enables administrators to assign individual permissions or groups of permissions to its resources, such as site collections, sites, and documents.
Relationship of members, roles, and role groups
Permissions in the Microsoft Defender portal and the Microsoft Purview compliance portal are based on the Azure RBAC permissions model. In fact, Azure RBAC is the same permissions model used by most Microsoft 365 services. The RBAC permission model centers around two components - roles and role groups.
Roles
Microsoft 365 and Office 365 subscriptions come with a set of pre-defined administrator roles that you can assign to users in your organization using the Microsoft 365 admin center. Each administrator role maps to common business functions. Roles give people in your organization permission to do specific tasks in the admin centers.
The Microsoft 365 admin center lets you manage Microsoft Entra roles, Exchange Online roles, and Microsoft Intune roles. However, these roles are a subset of the roles available in the Microsoft Entra admin center and the Intune admin center. You can also manage permissions in the Microsoft Defender portal and the Microsoft Purview compliance portal. Finally, you can use Microsoft Entra Privileged Identity Management (PIM) to limit standing access to privileged administrator roles.
Role groups
A role group consists of a set of roles that lets people do their jobs. For example, the Compliance Manager Administrators role group, which manages template creation and modification, consists of the following roles:
- Compliance Manager Administrator
- Compliance Manager Assessment
- Compliance Manager Contribution
- Compliance Manager Reader
- Data Connector Administrator
A user assigned to the Compliance Manager Administrators role group possesses all the permissions assigned to each role in this role group.
The Microsoft Defender portal and Microsoft Purview compliance portal include default role groups for the most common tasks and functions that a Microsoft 365 administrator assigns. As a best practice, Microsoft recommends that organizations add individual users as members to the default role groups. To access these portals, a user must either be a Global administrator or a member of one or more groups in the Microsoft Defender portal or the Microsoft Purview compliance portal.
Additional reading. For a detailed list of the roles assigned to each role group in Microsoft 365, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
Types of roles and role groups in Microsoft 365
The following types of roles and role groups are available in Microsoft 365:
- Microsoft Entra roles. Microsoft Entra roles are central roles that assign permissions for all Microsoft 365 services. You can view the roles and assigned users in the Microsoft 365 admin center, Microsoft Entra admin center, Microsoft Defender portal, and the Microsoft Purview compliance portal. However, you can only manage the roles in the Microsoft Entra admin center.
- Email and collaboration roles. The permissions that you assign here are specific to the Microsoft Defender portal and the Microsoft 365 Purview compliance portal. However, they don't cover all the permissions needed in other Microsoft 365 workloads. Other online services such as Exchange Online and SharePoint Online have their own permission models. You manage these service-specific roles in their respective portals.
- Cloud Apps roles. This section allows you to manage who can view cloud apps content and take actions.
- Microsoft Purview solutions. This section allows you to manage role groups in the Microsoft Purview compliance portal.
Additional reading. For more information on all the Azure RBAC roles available in Microsoft 365, see Office 365 admin roles.
Knowledge check
Choose the best response for the following question.