Role Based Access Control
This section describes the design decisions associated with Role Based Access Control within Microsoft 365 Services for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
Role Based Access Control (RBAC) is not a new concept. Microsoft’s implementation of RBAC in the context of Microsoft 365 is the process and mechanism of maintaining the principal of least privilege within an environment. Roles therefore define what the role holder can do, who is granted the role, and where the scope of the role is valid. The following list provides an overview of the concepts associated with RBAC:
- Security Principal: The identity assigned a role and given permissions for a specific task
- Role Group: A collection of permissions
- Management Role: A specific permission defined for a particular workload such as Exchange Online or Teams
- Role Assignment: Assignment of a Role Group to a Security Principal
- Scoping: Restricting the Role Assignment to a defined set of resources or objects
Many of the workloads within Microsoft 365 can be managed through use of one or more default administrative roles defined within Entra ID; however, there are a lot of Microsoft 365 workloads that employ their own RBAC concepts as well as maintaining some overlap with Entra ID. This overlap varies according to the workload. Roles supported by each product are outlined below:
| Microsoft 365 Service | Microsoft 365 / Service Role Descriptions |
|---|---|
| Admin roles in Microsoft | Microsoft 365 admin roles |
| Exchange Online | Exchange role-based access control |
| SharePoint Online | SharePoint admin role in Microsoft 365 |
| Teams | Teams Administrator roles |
| Defender for Office 365 and Purview | Defender for Office 365 roles |
| Azure Information Protection | Entra built-in roles |
| Microsoft Defender for Cloud Apps | Role-based access control |
| Azure Advanced Threat Protection | Azure ATP role groups |
| Windows Defender Advanced Threat Protection | Windows Defender ATP role-based access control |
| Intune | Intune role-based access control |
| Power Platform | Power Platform Service Admin RolesDataverse Security RolesSystem and Application (Built In) Users |
Privileged Identity Management
Privileged Identity Management (PIM) can be leveraged to enhance the RBAC model for Entra ID role-based management access and other workloads. PIM requests are made through the Entra portal for elevated access only when required, and for a defined period of time.
PIM enables assignment of the following default Microsoft 365 roles:
- Exchange administrator
- Exchange recipient administrator
- SharePoint administrator
- Teams administrator
- Teams Communications administrator
- Teams Communications support engineer
- Teams Communications support specialist
- Power BI Administrator
- Power Platform administrator
- Customer Lockbox Administrator
- Intune administrator
- Office Apps administrator
- Message Center Privacy Reader
- Message Center Reader
- Security administrator
- Security reader
Note
Using PIM for the SharePoint administrator role, the Device administrator role, and roles trying to access the Microsoft Security and Compliance Center might experience delays of up to a few hours after activating the role, see PIM Roles for further information.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| PIM | Configured | PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources or workloads. |
| Microsoft 365 administrative sub-roles | Configured by Exception | Microsoft 365 administrative sub-roles, where possible, will not be configured in favour of PIM. This ensures Azure is the location to manage Role Base Access Control permission for the organisations tenant. |
Related information
Security & Governance
- Essential Eight - User Application Hardening
- Essential Eight - Restrict Administrative Privileges
- Authentication Hardening
Design
Configuration
References
- Microsoft 365 Understanding Roles
- Microsoft 365 Roles
- Azure AD Roles
- Microsoft 365 Roles in AAD
- Exchange Online Permissions
- SharePoint Admin Role
- Teams Administrator roles
- Compliance Roles
- Security Center Roles
- Defender Roles
- Defender Custom Roles
- Defender for Cloud Apps
- Defender for Office 365
- Intune Roles
- Power Platform Security Roles
- Power Platform Admin Roles
- Dataverse Security Roles
- Dataverse System and Application (Built In) Users