Manage roles across the Microsoft 365 ecosystem

Completed

Administrators can maintain roles in different places, depending on the scope and level of the role. The Microsoft 365 admin center is the main place where administrators can manage the built-in and custom roles that apply across most of the platform. However, some services and applications within Microsoft 365 have their own roles that are specific to their functionality and features. For example, Microsoft Entra ID, Microsoft Defender, and Microsoft Purview have their own roles that are separate from the Microsoft 365 admin center. These roles are similar to the Microsoft 365 roles in that they're based on permissions and assignments. However, they're different in that they're scoped and managed within their respective service or application. Administrators can access and manage these roles from the service or application portal or interface. Administrators can maintain scopes and assignment in the same place where they maintain roles, as scopes and assignments are part of the role definition and configuration.

Important

Azure Active Directory (Azure AD) is now Microsoft Entra ID.

The Microsoft 365 admin center is the main portal for managing and configuring the Microsoft 365 environment. It provides a centralized and unified view of all the Microsoft 365 services and features, and allows administrators to perform various tasks, such as creating and managing users, devices, licenses, policies, settings, and reports. The Microsoft 365 admin center also allows administrators to assign roles and role groups to users, and to create and manage custom role groups. Role groups are examined in greater detail in a later unit in this module.

Role maintenance across Microsoft 365

The Microsoft 365 admin center maintains a set of roles that are applicable to all or most of the Microsoft 365 services and features. These roles include the global roles, such as Global Administrator and Global Reader, and some of the service-specific and feature-specific roles, such as Exchange Administrator, SharePoint Administrator, Security Administrator, and Compliance Administrator. These roles are usually the primary roles that administrators use to manage and configure the Microsoft 365 environment.

In comparison, some of the Microsoft 365 services and features have their own dedicated portals and admin centers, where administrators can perform more advanced and granular tasks. For example, Microsoft Entra ID, Microsoft Defender XDR, and Microsoft Purview. These services and features also maintain their own sets of roles, which are specific to their functionalities and capabilities. These roles are also known as the service, or workload roles. They're the secondary roles that administrators use to manage and configure the specific services and features.

The Microsoft 365 admin center enables you to manage Microsoft Entra roles, plus Exchange, and Intune roles. You can create role groups (also known as role assignable groups) in the Microsoft 365 admin center that can contain one or more roles. You can then assign role groups to users, in which case they inherit the roles that were assigned to role groups of which they're a member.

While Microsoft Entra roles are tenant wide, Exchange, Intune, and Purview are workload roles. When dealing with workload roles and role groups, you assign them in slightly different ways and to different identities. You can assign:

  • Microsoft Entra roles to users and role assignable groups.
  • Exchange roles to users and mail enabled groups.
  • Intune roles to security groups.

Note

While you can create roles groups in Exchange Online and manage them through the Exchange admin center, you can't assign the Exchange role groups in the Microsoft 365 admin center. You can use the Microsoft 365 admin center to assign Exchange roles, but not Exchange role groups.

It's also important to understand the differences and relationships between the roles that are maintained in the Microsoft 365 admin center and the roles that are maintained in the other services. With this knowledge, you can assign the appropriate roles and role groups to users, depending on their responsibilities and tasks. For example, the Exchange Administrator role that you assign in the Microsoft 365 admin center grants permissions to perform tasks in Exchange Online, such as creating and managing mailboxes, groups, and policies. However, this same role doesn't grant permissions to perform tasks in the Exchange admin center, such as creating and managing connectors, transport rules, and mail flow. To perform these tasks, an administrator needs to have the Exchange Online admin role in the Exchange admin center, which is a different role from the Exchange Administrator role in the Microsoft 365 admin center. The Exchange Online admin role in the Exchange admin center can also be customized and modified, such as adding or removing permissions, or creating subroles.

Similarly, the Security Administrator role in the Microsoft 365 admin center grants permissions to perform tasks in the Microsoft Defender portal, such as creating and managing security policies, alerts, and reports. However, the Security Administrator role in the Microsoft 365 admin center doesn't grant permissions to perform tasks in the Microsoft Defender portal, such as creating and managing incidents, investigations, and actions. To perform these tasks, an administrator needs to have the Security Administrator role in the Microsoft Defender portal, which is a different role from the Security Administrator role in the Microsoft 365 admin center. The Security Administrator role in the Microsoft Defender portal can also be customized and modified, such as adding or removing permissions, or creating subroles.

The following table summarizes the roles and their locations.

Service or application Roles Location
Microsoft 365 Built-in and custom roles Microsoft 365 admin center
Microsoft Entra ID Data governance roles Microsoft Entra ID portal
Microsoft Defender XDR Security roles Microsoft Defender portal
Microsoft Purview Data catalog roles Microsoft Purview compliance portal

Organizations must manage security scenarios that span every Microsoft 365 service. As such, they need the flexibility to give the right administrator permission to the right people in their organization. The Microsoft 365 admin center, Microsoft Defender portal, and the Microsoft Purview compliance portal support directly managing permissions for users who perform security and compliance tasks in Microsoft 365. By using these portals to manage permissions, you can manage permissions centrally for all tasks related to security and compliance.

The following sections provide a summary of each of these portals.

Microsoft 365 admin center

The Microsoft 365 admin center provides robust capabilities for managing permissions within an organization's Microsoft 365 environment. It supports permission management through various features, including:

  • User and group management. The Microsoft 365 admin center allows administrators to create and manage user accounts and groups. Administrators can assign roles and permissions to individual users or groups, granting them access to specific Microsoft 365 services and resources.
  • Azure role-based access control (RBAC). The admin center implements Azure RBAC, which enables administrators to assign predefined roles with specific permissions to users. These roles include Global Administrator, User Management Administrator, Exchange Administrator, SharePoint Administrator, and more. Administrators can assign appropriate roles that control access and limit permissions based on job responsibilities.
  • Service-specific permission management. Within the Microsoft 365 admin center, administrators can manage permissions for various Microsoft 365 services, such as Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams. They can grant or restrict access to specific features and functions within these services, allowing fine-grained control over user capabilities.
  • Application and app permissions. Administrators can manage permissions for applications and app integrations within the admin center. This process includes granting consent to third-party apps to access Microsoft 365 data on behalf of users. It also includes managing app permissions and controlling access to organizational data by external applications.

The Microsoft 365 admin center provides a comprehensive set of tools and features to directly manage permissions within the organization's Microsoft 365 environment. It enables administrators to assign roles, configure service-specific permissions, and ensure efficient and secure access control across the Microsoft 365 ecosystem.

Microsoft Entra ID portal

Microsoft Entra ID is an Identity as a Service (IaaS) solution that offers robust features for managing identity and access. For security teams, Microsoft Entra ID provides essential functionalities to enhance security posture and protect organizational resources. The roles maintained in the Microsoft Entra ID portal are secondary and specific roles that grant permissions to perform tasks in Microsoft Entra ID, such as creating and managing identities, access policies, and governance. Some of the Microsoft Entra ID roles are derived from the Microsoft 365 roles, such as Identity Administrator and Identity Reader. Other Microsoft Entra ID roles are unique to the service, such as Identity Governance Administrator and Entitlement Management Administrator.

Some of the key security features in the Microsoft Entra ID portal include:

  • Conditional access policies. Security teams can define granular access policies based on factors like user location, device type, and risk profile. Doing so allows them to enforce specific security measures for different scenarios.
  • Risk-based authentication. Microsoft Entra ID evaluates user behavior and context to determine risk levels. Security teams can implement extra authentication steps when suspicious activity is detected, bolstering security.
  • Identity insights and monitoring. The portal offers visibility into user identities, sign-in activity, and license utilization. Security teams can monitor trends, detect anomalies, and respond promptly to potential threats.
  • Passwordless authentication. Because Microsoft Entra ID supports passwordless authentication, it reduces reliance on traditional passwords, mitigating common security risks associated with password-based access.
  • Data residency and security. Microsoft Entra ID securely manages identity and access data in the cloud, enabling mobility scenarios while ensuring robust security measures for organizations.

The Microsoft Entra ID portal serves as a pivotal hub for identity management and access control. It empowers security teams to efficiently manage user identities, enforce access policies, and enhance overall security across the organization.

Microsoft Defender portal

The Microsoft Defender portal is a centralized management console that provides security teams with a comprehensive view of their organization's security posture and helps them protect their digital assets. Microsoft designed the portal for threat protection, detection, investigation, and response across various Microsoft 365 services. The roles maintained in the Microsoft Defender portal are secondary and specific roles that grant permissions to perform tasks in Microsoft Defender XDR, such as creating and managing incidents, investigations, and actions. Some of the Microsoft Defender XDR roles are derived from the Microsoft 365 roles, such as Security Administrator and Security Reader. Other Microsoft Defender XDR roles are unique to the service, such as Incident Responder and Threat Hunter.

Some key functionalities of the Microsoft Defender portal include:

  • Threat investigation. The Microsoft Defender portal allows security analysts to investigate and respond to security threats across Microsoft 365 services. For example, Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and more. It provides a unified view of security alerts and helps identify potential threats.
  • Incident management. Administrators can use the Microsoft Defender portal to track, manage, and collaborate upon security incidents within the portal. It enables security teams to triage, assign ownership, and track the progress of incidents, ensuring timely resolution.
  • Advanced hunting. The Microsoft Defender portal provides access to powerful query-based hunting capabilities. Security analysts can use the Microsoft Defender Advanced Hunting language (Kusto Query Language) to search for specific indicators of compromise (IOCs) or investigate potential threats proactively.
  • Threat analytics. The Microsoft Defender portal offers security reports and insights, using advanced analytics and machine learning. This functionality helps organizations understand their security posture, identify trends, and prioritize actions. Organizations can use these insights to strengthen security policies and implement proactive measures.
  • Integration with Microsoft 365 services. The Microsoft Defender portal integrates with other Microsoft security services, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Cloud App Security. This integration provides a holistic view of security across the organization.

The Microsoft Defender portal serves as a central hub for security operations in Microsoft 365. It enables security teams to effectively detect, investigate, and respond to threats while enhancing the overall security posture of the organization.

Microsoft Purview compliance portal

The Microsoft Purview compliance portal is a centralized hub within Microsoft 365 that helps organizations meet their regulatory and compliance requirements. It provides a range of tools, features, and resources to manage compliance-related tasks, assess risk, and protect sensitive data. The roles maintained in the Microsoft Purview compliance portal are a subset of the Microsoft Entra roles. They grant permissions to perform tasks in Microsoft Purview, such as creating and managing data sources, data assets, data policies, and data insights. Some of the Microsoft Purview roles are derived from the Microsoft 365 roles, such as Compliance Administrator and Compliance Reader. Other Microsoft Purview roles are unique to the service, such as Data Source Administrator and Data Asset Curator.

Some key functionalities of the Microsoft Purview compliance portal include:

  • Compliance management. The Microsoft Purview compliance portal allows organizations to define and manage compliance policies based on industry regulations and internal requirements. It provides a framework to track and monitor compliance activities across Microsoft 365 services, such as Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and more.
  • Data protection. The Microsoft Purview compliance portal offers features to help protect sensitive data and ensure compliance with privacy regulations. These features include data loss prevention (DLP) policies, information barriers, sensitivity labels, and advanced data governance capabilities.
  • Risk assessment and insights. The Microsoft Purview compliance portal provides tools to assess and mitigate risks associated with data and compliance. It offers features like Compliance Score, which assesses an organization's compliance posture and provides recommendations for improvement. It also includes advanced analytics and insights to identify data risks and trends.
  • E-discovery and legal hold. The Microsoft Purview compliance portal facilitates the discovery and preservation of electronically stored information (ESI) for legal and regulatory purposes. It provides capabilities for searching, identifying, and exporting relevant data across Microsoft 365 services. Doing so ensures organizations can respond to legal requests and litigation requirements.
  • Compliance reporting and auditing. The Microsoft Purview compliance portal offers reporting capabilities to monitor and audit compliance activities within the organization. The portal provides predefined compliance reports, plus the ability to create custom reports, helping organizations demonstrate adherence to regulatory requirements.
  • Collaboration and training. The Microsoft Purview compliance portal provides collaboration features to enable cross-functional teams to work together on compliance-related tasks. It also offers training resources and best practices to help organizations educate their employees on compliance requirements and promote a culture of compliance.

The Microsoft Purview compliance portal helps organizations manage their compliance obligations, protect sensitive data, and mitigate risks within their Microsoft 365 environment. Microsoft designed the portal to help simplify compliance management, streamline processes, and provide the necessary tools to meet regulatory requirements.