Reading time:
4 min

Perfect O365 Remote Worker Management with RBAC


In the old days, IT administrators could simply walk over to an end user with a problem. And because employees mostly connected via the wired network, it was relatively easy to identify and manage users and their devices.

SaaS such as Office 365, and the massive move to remote work, changes all that. Now O365 users needing to be managed are spread all over the country – and the world. We spoke with CoreView Solution Architect Matt Smith about securing and managing O365 remote users with a better approach to administration – Role-Based Access Control (RBAC), and how Functional-Based Access Control raises the admin bar further. 

Role-Based Access Control (RBAC) Moves Toward Functional-Based Access Control

CoreView: Is that where Role-Based Access Control (RBAC) comes in? And how is this concept moving towards Functional-Based Access Control?

Smith: The most secure system is if you turn the whole dag gone thing off. Security people love that. However, it is not the most useful platform. The answer is to give people the rights they need to do their job, but only those rights. That is called least privilege access.

At the same time, Role-Based Access Control is a concept that has been around since the 1970s. Let us say you have the role of Exchange administrator, which gives you access to all things Exchange. In the Microsoft Office 365 world, this is kind of a 2010 concept — and we are now in 2020. These roles they have defined and continue to grant just do not match how people are actually administrating and using the O365 platform.

For example, if IT makes someone an Exchange admin because they need to create a mailbox, now they can create mailboxes. But what if IT wants to limit that person to just creating mailboxes for the London office and not the New York City office – that is scoping. To do that, you have to know a lot of AD properties, and people just never get around to scoping these roles to that specific location or virtual tenant, and giving that area of control they should have.

Matt Smith
CoreView’s Matt Smith

When IT gives them Exchange admin rights so they can create those mailboxes, that also gives the right to change mail routing for the entire organization. That is not what we call secure delegation. Nor is it efficient because now that I have given you all these controls, I am reticent to give it out to a whole lot of other people, because it is not secure.

What CoreView does makes this functional based. Now IT can give the ability to forward email for people on long-term leave, but not to create mailboxes because that’s not part of the job function.

Alternatively, IT could give the ability to create Teams channels, but not change call queues in Teams so that you can route calls to different people because that is also not their role.

Uniquely within Teams, CoreView can delegate things like call queues and auto attendants, especially useful for those people who are using the E-5 suite, which gives you the ability to use Teams to call out to other individuals. If you have that SKU, CoreView can delegate out very securely to individual offices the ability to set up their own auto attendant. By the way, auto attendant is when you call in on a phone, and are asked to press one for sales, press two for service and press zero to reach the operator. That is the auto attendant giving you that, creating and routing your call.

There are also call queues. Behind the scenes is a group of people. When you press one for sales, who are my 17 salespeople and how am I going to rotate those calls? Delegating that out and getting that out of central IT’s hands makes sense. Those needs change a lot, and is something IT is probably not going to be involved in because it is more of a business function. IT can securely delegate that out with CoreView’s functional access control.

Secure Remote Workers with CoreView’s Help

Learn more about making remote workers happy and productive with a CoreView demo.

Get your O365 user workload usage and security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page:

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.