Reading time:
6 min

No True O365 Security Without Least Privilege – No Least Privilege Without Functional Access Control


And You Thought RBAC was Killer!

Microsoft Office 365 veterans think their admin identities are secure if they have Role-Based Access Control (RBAC) – their killer security feature. But not all RBAC is created equal, and even the best RBAC is no match for Functional Access Control (FAC) – the true security killer feature.

Not to brag (at least too much), but CoreView is the only one that offers true, deep and fully secure RBAC, and takes that a monumental step further with Functional Access Control.

Scratching your head? All right, we’ll tell you what FAC is, does, and what makes it so dang amazing. Think about the native O365 Admin Center. The problem is the roles granted by Admin Center are way, way too broad.

Today’s smart O365 IT pros no longer focus on ‘roles’ in administration anymore – such as being the Exchange person who spends the day creating mailboxes and adding people to distribution lists. O365 admins instead perform FUNCTIONS across the entire cloud stack, which is quite complex. This can include adding a user, setting the password, and granting them a license. Then an admin may add them to a mailbox, to distribution lists, or Teams channels, pre-initialize their OneDrive, set policies for devices, and so on. These are not ROLES – these are FUNCTIONS.

More Roles are not Enough

More broadly put, O365 IT pros no longer work in this concept of roles. Microsoft’s response to this shift was to enhance their role-based model by adding more roles.

“Let us talk about the Microsoft role-based model. The first one, Application Administrator, gives you access to literally 75 different attributes. Nobody in Microsoft knows what all those attributes do. Certainly not IT. If I grant you access to the role of Application Administrator, I cannot look the CISO in the eye and tell them, ‘I know exactly what I gave him access to’ because I do not know the underlying foundations for it,” explained Matt Smith, CoreView Solution Architect.

Today, IT staffers have functions they need to do as part of their job, such as creating a user, changing a password, initializing a mailbox, changing their name, setting up OneDrive, or configuring Teams voice features. These various functions are not easily defined into a particular role. Instead, CoreView can break what IT or even non-IT professionals need to do into functions that then can be combined into what a user’s job actually entails.

Customers Totally Grok the Concept of FAC

CoreView customer Baker Tilly Canada knows the value of FAC. “How do we operate as a multi-tenant environment while, from Microsoft’s perspective, on a single tenant? CoreView brought all of that to the table with the V-tenant capabilities. We can slice and dice administration into functional areas. We can have user managers, Teams managers, Teams administrators, or security administrators. All of those functions and feature sets are critical to the solution we have today,” said Stephen Chris, Baker Tilly Canada Cooperative.

Go Beyond RBAC to Get to Least Privilege Access

RBAC is a way to APPROACH Least Privilege Access, while FAC is a way to ACHIEVE it. Unfortunately, Least Privilege is not well implemented in the Microsoft world because the roles are too broad and there is no concept of FAC. Again, not to toot our horn too much, but CoreView does a much better job at this because our Role-Based Access Model is actually functionally based. It is based on checkmarks where you check off the functions you want to grant rather than broad roles.

FAC is simply more granular and fits today’s IT workstyle better.

“CoreView’s FAC is check box-based. IT can give someone the ability to forward email addresses by clicking two boxes. It is automatically scoped, which is hard to do in the Microsoft world without creating a custom role and creating a custom scope – and frankly, nobody does that,” Smith pointed out. “I can also give somebody at the help desk the ability to forward email for people who are on long-term leave in the accounting department. Boom. We are done.”

One use case is for a desktop deployment person putting software on PCs that may have been locked on Friday at 5:00 PM. They need the ability to unlock the PC to reset the password, install the OneDrive agent and make sure that it is working. In that case, that person could request that ability to change the password and set the OneDrive settings.

FAC – the Path to Least Privilege Nirvana

So how is Functional Access Control part of doing least privilege right? “In Microsoft’s Zero Trust model, the feature functionality that Microsoft and others are pushing are PIM and PAM, which are approaches to Least Privilege Access. What does the CISO care about? He cares about true Least Privilege Access. If you asked 100 IT personnel, ‘Should we have Least Privilege Access for all of our applications?’ 100 of them would reply, ‘Yes we should!’ The next question is — why don’t you? ‘Microsoft doesn’t give us the tools that allows us to do that.’ And they are right. You cannot do it natively within the O365 Admin Center,” Smith said.

The right way to do it is the CoreView way. “The only right way really to apply Least Privilege Access is to extrapolate administrative access and proxy it the way that we do through a portal that says, ‘I am not giving you access to a role. I am giving you access to a function, and you have no privileges whatsoever within the application itself to do other things.’ It is a predefined function that CoreView admins have the ability to turn on and turn off, or even apply a workflow to give time-bound access. That is the only way to get to that goal,” Smith argued.

With CoreView, IT pros can easily and fully batten down the O365 security hatches on a daily basis. “Imagine an organization of 10,000 people. Hackers do not get in on the first attempt. Meanwhile, IT is getting how many sign-in events, every single day, across days, weeks, months, and years? There are too many signals there. CoreView sorts through all those signals. We correlate the data, we enrich the data, and then we surface it into an easy to read dashboard and set of reports,” Smith concluded.

Functional Access Control for Teams

Some Microsoft customers ran into the limits of native RBAC when setting up Teams voice capabilities. With these customer hurdles in mind, Microsoft reached out to CoreView for answers. CoreView developers spent months diving into the issues and building deep functional delegation capabilities specific to Teams voice and UC deployment. The result is that CoreView now provides all the commands and the interface to allow central IT to delegate out very quickly and very securely just those voice functions without delegating the full role of Teams administrator to local groups.

This speaks to both CoreView’s RBAC and functional delegation of duties. That distinction between a role and a function is important here. Functions are more granular than roles. Roles can be sees as a concatenate – a combination of various functions. In fact, roles such as Exchange or Active Directory (AD) are becoming rarer than functional admin assignments – at least for CoreView customers – who can granularly grant and control these rights.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.