Nov 13 2019
Role-Based Access Control: The Only Route to Office 365 Security, Admin Efficiency
At first blush, Microsoft Office 365 seems to have role-based access control (RBAC) fully covered. After all, Office 365 comes with a wealth of administrator roles, some 22 different ones, such as Exchange or License Administrator. This looks great on the surface, but a deeper dive exposed the flaws.
Despite the RBAC label applied by Microsoft to O365 permissions, the native admin delegation tool in Office 365 is simply too blunt, lacking the granularity in giving rights large shops need. No matter how much you limit O365 permissions, all admins have global rights, which means they can reach out and touch all end users – a security nightmare.
Get all the details in our white paper: Learn to Love Office 365 Role-Based Access Control.
Meanwhile, IT pros who thought their lives would be easier with a cloud suite find themselves mired in endless administrations tasks, trying fruitlessly to give admins and users the exact level of visibility they need. Frustrated, IT often gives up, simply assigning all admins the same broad global permissions. Too many people with too much permission opens gaping holes in the network.
The Office 365 Admin Center is a least common denominator style tool, not built to handle the demands of distributed enterprise deployments. Large organizations are, in essence, a group of separate, geographically dispersed entities, each with its own needs – are not served well by a one size fits all, centralized, globally-based administrative structure.
The native Office 365 Admin Center’s centralized management model of setting privileges entirely relies on granting “global admin rights” — even to regional, local, or business unit administrators. There is simply no facility for setting up regional and other geographic-based rights. Nor can you easily set up rights based on business unit, country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly so they can only perform limited and specific functions, such as changing passwords when requested.
Any IT pro worth their salt recoils at granting a local or departmental IT administrator global rights. This is simply not the way modern enterprises are structured and no way to properly secure the environment.
Meanwhile, making everyone who needs a decent level of access a full administrator means there are too many people with full access to the Office 365 environment. Do not forget. IT pros are people too, and the more folks that have high-level access, the more chance these privileges are abused.
A proper approach to Office 365 permissions and privileges is partitioning permissions based on roles through truly fine-grained RBAC, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your Office 365 environment.
CoreView and Granular RBAC are the Answer to Your Office 365 Delegation Problems
CoreView was designed in the trenches by a Microsoft Gold partner and solution provider to improve the manageability and security for its large base of Office 365 clients.
Using a simple, intuitive interface, CoreView lets IT segment the Office 365 tenant in myriad ways — for example, by department, business unit, or location. After these groups are set up, IT can dive deeper, using CoreView’s RBAC capabilities to define specific permissions for administrators who then can only perform certain tasks and only against a specific subset of users.
CoreView further allows you to fine-tune what actions each admin can perform, and which reports they can see. Instead of using the Office 365 Admin Center, your administrators simply log into the CoreAdmin portal. Here, they are limited to making changes only to their assigned users, and can only perform actions they are specifically assigned.
The RBAC Payoff
Proper use of RBAC increases IT productivity by empowering more local administrators — saving time and money. In fact, The National Institute of Standards and Technology in its ‘Economic Analysis of Role-Based Access Control’ study found that a 10,000-person company saves some $24,000 in IT labor, and another $300,000 a year from reduced worker downtime every year through RBAC.
Meanwhile, delegating Office 365 admin responsibilities to those closer to the end users results in less micromanaging from the central office, and greater Office 365 uptime across the organization.
CoreView found that a company with 10,000 employees could save 950 hours of administration time per year, at a projected savings of $45,600 a year – just by properly using RBAC to set Office 365 admin permissions.
Learn More about Taming Office 365 through RBAC
Get more information in our Learn to Love Office 365 Role-Based Access Control white paper.
Learn more about Office 365 administration with a CoreView demo.
You can also get a free CoreView Office 365 Health Check that details license savings, state of application usage, and pinpoints security problems in your Office 365 environment.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.