Are your privileged accounts putting your business at risk? 

According to a survey by security services provider Centrify, 66% of companies have been breached five times or more, and 74% of these breaches involved access to a privileged account. 

If a malicious third party manages to gain access to one of your privileged accounts, then the effects can be devastating. A hacker could potentially use a single privileged account to gain access to all of your confidential customer and company data, and change your security settings, locking you out of your own accounts! 

To reduce your risk, it’s vital that your staff only have access to the permissions they actually need. By minimizing access, you can significantly reduce the attack surface and dramatically decrease your chances of falling victim to a devastating privileged breach. 

To help protect their customers, Microsoft provides a powerful Role Based Access Control (RBAC) model that lets you control exactly how permissions are used across your organization. 

In this article, we’ll explore how you can use the Office 365 Security & Compliance Center (SCC) to deploy this RBAC model, and protect your business against privileged credential abuse.

Protect your business, with Role Based Access Control

Microsoft’s SCC is a console that lets you quickly and easily assign permissions to employees who perform compliance tasks, such as device management, eDiscovery, and data loss prevention. 

By using SCC to assign only the permissions an employee requires in order to perform their job, you can reduce your attack surface and make your business less vulnerable to privileged permission attacks. 

Microsoft’s permissions are based on the RBAC permissions model, where you assign each employee a role group, such as Security Reader, Insider Risk Management Admin or MailFlow Administrator. Each employee then automatically inherits the minimum permissions required to perform this role. 

The key to a successful RBAC model is to ensure that as the number of permissions associated with a particular role group increases, the number of people assigned to that role decreases - so if you have more Organization Management users than Security Readers, then this may indicate a problem with how you’re using the RBAC model. 

In this article, we’ll explore all the role groups that SCC provides by default, before demonstrating how to assign these groups to your employees - but first, you’ll need to gain access to the SCC console. 

How to access Microsoft’s Security & Compliance Center

By default, only your Office 365 Global Admins can access the SCC. However, once your admin logs into this console they’ll be able to grant other employees access, via permissions. 

To get started with the SCC, your Office 365 admin needs to log into the Security & Compliance Center and then select “Permissions” from the left-hand menu. 

Your admin will now have access to all the default role groups, and can assign these roles to your Office 365 users. 

Note that some SCC group roles have similar names to the role groups in Exchange Online, but group memberships are not shared between Exchange Online and the SCC. 

Let’s take a closer look at all the role groups that SCC supports:

Reviewer 

Members of this group have read-only access to the analysis features in Office 365 eDiscovery, which is a tool that allows organizations to search and export Office 365 content. 

Reviewers can use eDiscovery to create and manage Core eDiscovery cases, add and remove members, create and edit searches, export content from eDiscovery cases, and place an eDiscovery hold on content locations, including SharePoint sites, OneDrive accounts, Microsoft Teams and Exchange mailboxes. 

Records Management 

Members of this role group have permission to manage and dispose record content. 

Insider Risk Management Admins

You can use this group to configure insider risk management and then segregate insider risk administrators into a defined group. Insider Risk Management Admins can create, read, edit, and delete insider risk management policies, delete insider risk management permissions and roles, and define global settings. 

Compliance Data Administrator

Members of this group can manage the settings for data loss prevention, data subject requests, device management, reports, and preservation. 

You’ll typically assign the Compliance Data Administrator group to compliance officers and admins who need to track your organization's data, make sure it’s protected, and help with risk mitigation. 

Insider Risk Management

You can use this role to configure insider risk management for all employees who need to identify and minimize internal risks and threats, including administrators, analysts, and investigators. 

Members of the Insider Risk Management group can create policies and then receive alerts based on these policies, allowing them to respond to suspicious activities. 

Content Explorer List Viewer

Members of this group can see each item in its location in a list format. 

Content Explorer Content Viewer

Unlike Content Explorer List Viewer, members of this group can view the content of each item. 

Insider Risk Management Analysts

You can use this group to assign permissions to your risk case analysts. 

Insider Risk Management Analysts can access all risk management alerts, cases, and notice templates, and can triage relevant insider risk management alerts, and action on cases. However, Insider Risk Management Analysts cannot access the insider risk Content Explorer. 

IRM Contributors

This IRM Contributor role group allows you to manage contributor access for insider risk management. Note that although this role group is visible, it’s used by background services only. 

Security Reader

Members of this role group have global read-only access to security-related features, and can view security policies, reports and security threats. 

Security Operator

Members of this group have all the permissions of the Security Reader role, plus the ability to view, investigate and respond to security alerts, and respond to active threats to your users, devices and content. 

Organization Management

Organization Management is a group with wide access to data management. 

Members of this group can control permissions for accessing features in the SCC, including assigning eDiscovery permissions. Organization Management members can also manage settings for device management, data loss prevention, reports, and preservation. 

By default, all of your Office 365 Global Admins are added to the Organization Management group automatically. 

Security Administrator

Security Administrators can control your organization's overall security by managing security policies, reviewing security analytics and reports, managing sensitivity labels, and viewing, investigating and responding to security threats. 

Members of this role group often include cross-service administrators, external partner groups and Microsoft Support. 

Your Security Administrators inherit the capabilities of the Security Administrator role in Azure Active Directory. Note that if you edit the Security Administrator role group in the SCC, then these changes will not be copied to Azure Active Directory. However, changes made in Azure Active Directory will affect this role group in SCC. 

Supervisory Review

Supervisory Review is a group for members who are responsible for reviewing policies and ensuring the security of your communications, which is particularly important if your organization handles sensitive information. 

Members of this group can create and manage the policies and permissions for reviewing employee communications, including defining which communications should be subject to review. Communication that meets this criteria will be captured, ready to be examined by internal or external reviewers. Your reviewers can then classify these communications, check whether they’re compliant with your policies, and escalate any concerns or policy violations. 

Note that if the communication is hosted on Exchange Online, then the reviewer must also have remote PowerShell access to Exchange Online

Quarantine Administrator

Members of this group can manage and control quarantined messages, which are potentially dangerous or unwanted communications. 

Quarantine Administrators can view, release and delete all types of quarantined messages for all users, including messages that have been identified as suspected malware, spam, high confidence phishing, or messages that have been quarantined as a result of MailFlow rules. 

If your organization has Office 365 Advanced Threat Protection, then your Quarantine Administrators can also view, download, and delete quarantined files in SharePoint Online, OneDrive for Business, and Microsoft Teams. 

As part of our complete suite of cloud migration services, we offer a Microsoft 365 E5 subscription that includes all the latest Advanced Threat Protection (ATP) features.

Global Reader 

Members of this group have read-only access to reports, alerts, and the settings for all your security and compliance features. 

Since Global Readers cannot take management action, this role group acts as the read-only counterpart to Global Administrator. If an employee requires access to admin-level features and data but doesn’t specifically require read-only access, then you should assign them the Global Reader role, rather than the Global Admin role. 

Note that at the time of writing, Global Readers couldn’t access SCC audit logs. 

MailFlow Administrator

Members of this group can monitor and view MailFlow insights and reports. 

Note that if a MailFlow Administrator requires access to Exchange admin-related tasks, then you’ll need to add them to the Exchange Admin group. 

eDiscovery Manager

Members of this group can use the Content Search tool to search content locations within your organization, and perform search-related actions, such as exporting search results. 

eDisovery Managers can also place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations, create and manage eDiscovery cases, add and remove members to a case, and access case data in Advanced eDiscovery

However, eDiscovery Managers cannot access or manage cases created by other eDiscovery Managers. 

Data Investigator

Members of this group can perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations. You should use this role group for employees who need to be able to create, access and conduct data investigations. 

Service Assurance User

Members can access the Service Assurance section in the SCC, including accessing third-party reports, whitepapers, FAQs and documents related to data protection topics such as data encryption, data resiliency, and security incident management. 

You can use the information in the Service Assurance section to perform assurance reviews and regulatory risk assessments of Microsoft’s cloud services. 

Insider Risk Management Investigators

Members of this group have access to all insider risk management alerts, cases, notices, and the Content Explorer. 

Your Insider Risk Management Investigators will be able to triage alerts, investigate and action on cases, and use the Content Explorer to examine the communications captured within your alerts. 

Compliance Administrator

Members of this group can view and edit reports, and manage settings for compliance features, including data loss prevention, reports, preservation, and device management. 

Deploy RBAC: Using Office 365’s role groups 

Your Global Admin can assign users to any of the above role groups: 

● Log into the Office 365 Security & Compliance Center

● In the left-hand menu, select “Permissions.” 

● Select the group you want to add members to, and a panel should open automatically. 

● In the subsequent panel, select “Edit group role.’” 

● Select “Choose members > Choose members.”

● Give the “Add” button a click. 

● In the subsequent panel, select every user who you want to add to this group. 

● Once you’re happy with your selection, click “Add > Done > Save.” 

All of the selected users have now been added to this role group! Rinse and repeat, to add more members to all of the different SCC groups. 

Share this article on social media

If you found this article useful, please share it on social media. 

Subscribe to our blog...

We will only use your email to send you new blog posts.