In this blog post I will talk about the way to effectively managing the M365 workloads within multiple IT teams and learn how to maintain the thin line between R&R. Administrator have access to sensitive data and files, hence Microsoft recommend that you follow the guidelines to keep your organization’s data more secure and define with the right admin permission.
Define the boundary
Identify the teams those are responsible for each workload. You need to understand the R&R and make sure its aligned with team technical capability. Admins need to be able to manage all settings/policy for workloads they are responsible without changing other configuration of different workloads. Tier-1 team play a very vital role in handling end-user problems hence they too need to be considered in the planning as well. Few Admin roles have access to sensitive data and files, like security and compliance admins, So its recommended that you identity the right teams (security admins) to have access.
RBAC is a permissions scheme that is based on the idea of granting IT administrators the ability to perform specific actions while denying them the ability to perform other actions
You may be looking for consistency applied across the delegated/admin permissions for the entire suite of Office 365 sas, then a third-party management tool may be an ideal solution for you.
Microsoft has introduced many built-in custom admin roles recently which can be used to assign right permission. Custom role can also be created with RBAC (Role base access control) if built-in admin role is not sufficient. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the admin centers. Assigning the least permissive role means giving admins only the access they need to get the job done.example, if you want someone to reset employee passwords you shouldn’t assign the unlimited global admin role, you should assign a limited admin role, like Password admin or Helpdesk admin. This will help keep your data safe and secure.
Auditing and control
You must need to enable/use auditing to track every event happening in your Office 365 environment to take preemptive actions and avoid deep consequences. you can use the Security & Compliance Center to search the unified audit log to view the administrator activity in your organization. You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. When an audited activity is performed by a admin, an audit record is generated and stored in the audit log for your organization. If you are looking for more deeper audit logs for admin activity like Monitor Critical license changes made by admins, to avoid license-related issues, you can opt third party auditing solutions. There are plenty in the market and may fulfill your need.
It’s always recommended to check which users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that have not been removed after being assigned to do an administrative task. You can recertify the role assignment users in Office 365 such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience. Do cyclic review for access level and implement the changes/edit with the respective teams. As a tenant owner, You must hold a quarterly meet with all IT stake holders To facilitate better permission availability, make sure to articulate which roles each team in organization need. Newly on-boarded admins access need to be granted with certain approval flow including your IT security and 365 tenant owner approval.