November 30, 2020
min read
Kas Nowicka
Kas has spent the last decade working with Microsoft’s cloud solutions and sharing governance, adoption, and productivity best practices with the MVP community.

Microsoft 365 veterans think their admin identities are secure if they have Role-Based Access Control (RBAC) – their killer security feature. But not all RBAC is created equal, and even the best RBAC is no match for Functional Access Control (FAC) – the true security killer feature.

Not to brag (at least too much), but CoreView is the only one that offers true, deep, and fully secure RBAC, and takes that a monumental step further with Functional Access Control.

Scratching your head? All right, we’ll tell you what FAC is, does, and what makes it so dang amazing. Think about the native M365 Admin Center. The problem is that the roles granted by Admin Center are way, way too broad.

Today’s smart M365 IT pros no longer focus on ‘roles’ in administration anymore – such as being the Exchange person who spends the day creating mailboxes and adding people to distribution lists. M365 admins instead perform FUNCTIONS across the entire cloud stack, which is quite complex. This can include adding a user, setting the password, and granting them a license. Then an admin may add them to a mailbox, to distribution lists, or Microsoft Teams channels, pre-initialize their OneDrive, set policies for devices, and so on. These are not ROLES – these are FUNCTIONS.

More Roles Are Not Enough

More broadly put, M365 IT pros no longer work in this concept of roles. Microsoft’s response to this shift was to enhance their role-based model by adding more roles.

“Let us talk about the Microsoft role-based model. The first one, Application Administrator, gives you access to literally 75 different attributes. Nobody in Microsoft knows what all those attributes do. Certainly not IT. If I grant you access to the role of Application Administrator, I cannot look the CISO in the eye and tell them, ‘I know exactly what I gave him access to’ because I do not know the underlying foundations for it,” explained Matt Smith, CoreView Solution Architect.

Today, IT staffers have functions they need to do as part of their job, such as creating a user, changing a password, initializing a mailbox, changing their name, setting up OneDrive, or configuring Microsoft Teams voice features. These various functions are not easily defined into a particular role. Instead, CoreView can break what IT or even non-IT professionals need to do into functions that then can be combined into what a user’s job actually entails.

Customers Totally Grok the Concept of FAC

CoreView customer Baker Tilly Canada knows the value of FAC. “How do we operate as a multi-tenant environment while, from Microsoft’s perspective, on a single tenant? CoreView brought all of that to the table with the V-tenant capabilities. We can slice and dice administration into functional areas. We can have user managers, Microsoft Teams managers, Teams administrators, or security administrators. All of those functions and feature sets are critical to the solution we have today,” said Stephen Chris, Baker Tilly Canada Cooperative.

Go Beyond RBAC to Get to Least Privilege Access

RBAC is a way to APPROACH Least Privilege Access, while FAC is a way to ACHIEVE it. Unfortunately, Least Privilege is not well implemented in the Microsoft world because the roles are too broad and there is no concept of FAC. Again, not to toot our horn too much, but CoreView does a much better job at this because our Role-Based Access Model is actually functionally based. It is based on check marks where you check off the functions you want to grant rather than broad roles.

FAC is simply more granular and fits today’s IT workstyle better.

“CoreView’s FAC is check box-based. IT can give someone the ability to forward email addresses by clicking two boxes. It is automatically scoped, which is hard to do in the Microsoft world without creating a custom role and creating a custom scope – and frankly, nobody does that,” CoreView’s Smith pointed out. “I can also give somebody at the help desk the ability to forward email for people who are on long-term leave in the accounting department. Boom. We are done.”

FAC – the Path to Least Privilege Nirvana

So how is Functional Access Control part of doing least privilege right? “What does the CISO care about? He cares about true Least Privilege Access. If you asked 100 IT personnel, ‘Should we have Least Privilege Access for all of our applications?’ 100 of them would reply, ‘Yes we should!’ The next question is — why don’t you? ‘Microsoft doesn’t give us the tools that allows us to do that.’ And they are right. You cannot do it natively within the M365 Admin Center,” Smith said.

The right way to do it is the CoreView way. “The only right way really to apply Least Privilege Access is to extrapolate administrative access and proxy it the way that we do through a portal that says, ‘I am not giving you access to a role. I am giving you access to a function, and you have no privileges whatsoever within the application itself to do other things.’ It is a predefined function that CoreView admins have the ability to turn on and turn off, or even apply a workflow to give time bound access. That is the only way to get to that goal,” Smith argued.

Protect Your M365 Tenant With CoreView

CoreView offers deep Microsoft 365-specific security protection, governance and compliance. Learn how we help with a personalized CoreView demo.

Get a personalized demo today

Created by M365 experts, for M365 experts.