Microsoft 365 administration is too often a blunt object, with admins laden with global credentials and – in the best of cases – assigned broad overly powerful and insecure roles.
CISA (Cybersecurity and Infrastructure Security Agency) in its Alert AA20-120A encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their M365 transition and better securing O365 services. Among the others, CISA recommends:
- Protect Global Admins from compromise and use the principle of “Least Privilege.”
The answer comes in several forms, with several labels. Role-Based Access Control (RBAC), as the name indicates, focuses on roles – and here Microsoft pre-defines these roles which reduces flexibility. The deeper more granular approach is Functional Access Control (FAC), pioneered by CoreView, in which rights are based on things you want the admin to do. There are also Virtual Tenants, also pioneered by CoreView, which isolates various groups and departments from one another, which protects one admin from impacting the Virtual Tenant of another.
There is another term that speaks to the granularity and control of M365 admin rights – delegated administration. This approach has been broadly applied and speaks to the decentralization of IT administrative authority which RBAC provides – albeit in limited fashion.
“As an organization grows, it can be difficult to keep track of which users have specific admin roles. If an employee has administrator rights they shouldn’t, your organization can be more susceptible to security breaches,” Microsoft advises. In fact, Microsoft advises that M365 shops have only 2-4 Global Admins for just this reason.
How Microsoft Defines Delegated Administration
In fact, Microsoft offers delegated administration delegated administration for Azure Active Directory by defining Azure roles – in other words RBAC. Microsoft also uses the term delegated administration for M365, but this is a rather limited concept aimed largely at cloud service providers needing access to a client’s tenant – especially compared to how the term is used for Azure Active Directory – which basically refers to RBAC.
“If you’re a Microsoft partner or reseller, and you’ve signed up to be a Microsoft advisor, you can request delegated administration capabilities in your customer’s Microsoft 365 organization,” Microsoft said in a document. “Delegated administration allows you to manage Microsoft 365 (including EOP settings) as if you were an admin within that organization.”
Limitations of M365 Delegated Admin Permissions
These M365 delegated admin functions are aimed at CSPs and other partners looking to access client tenants. The Microsoft partner community has found these M365 delegated administration functions too constrictive. “Permissions granted by delegated admin are too far-reaching, do not allow for fine-grained access, and even the ability to audit use is unclear or non-existent,” a partner community post argued.
One partner detailed the approach on a partner community page. “Here is some feedback we just received earlier today from a current customer looking to move to CSP licensing:
Even with an NDA with (direct CSP provider) I am not at all comfortable making a third party of a third party delegated admins for our environment and granting them the ability to access all our cloud data which is what the terms state we’d be agreeing to. I also have reservations about a vendor having these all-encompassing permissions. I understand it can be needed for some admin tasks and troubleshooting but I don’t like how much of a free for all Microsoft makes it,” the partner wrote.
The partner laid out further concerns. “The list of roles and permissions that can be applied through Partner Center are available at https://docs.microsoft.com/en-us/partner-center/permissions-overview. Of these, only ‘Admin Agent’, ‘Helpdesk Agent’, and maybe ‘Sales Agent’ apply to the customer tenants. ‘Admin agent’ is basically the equivalent of ‘Global Administrator’ within a customer tenant, and ‘Helpdesk Agent’ is effectively a ‘Helpdesk Administrator’ (Password Administrator),” the partner wrote. “As an O365 admin in my own organization, I can delegate permissions to others through at least 262,144 different combinations of the 18 customized administrator roles currently available in my tenant. (This increases to 38 roles available and nearly 275 billion combinations when using the roles available in Azure AD.) As a partner with delegated admin to a customer, there are only 2: ‘Everything’, or ‘Helpdesk Agent’.”
This approach is a security risk. “Everything is “all or nothing”. We also have well over 100 engineers in our organization (not counting back office staff, etc.). To assign either “Admin agent” or “Helpdesk Agent” to one of our staff, means that they have that same permission across a few hundred customers. There is no way to filter a staff member’s access to only one customer, or ideally a group of customers,” the partner concluded.
Doing Delegated Administration Right – The CoreView Way
Microsoft’s native M365 Admin Center offers RBAC, which is a form of delegated administration, but the roles are overly rigid, and all roles come with global credentials. If the roles provided by Microsoft are not good enough to match your IT organizational model, you should perhaps take a look at CoreView. We enable you to create custom roles to assign to each operator only the rights they need for their function without following Microsoft pre-defined roles.
Microsoft is positioning delegated administration only for partners or vendors helping on managing the tenant — because they don’t have true, granular delegated administration built into Office 365.
In contrast, CoreView was architected and designed from the ground up to enable more distributed organizations with the flexibility to delegate and distribute administration tasks, assign license pools, and provide total visibility into all aspects of Microsoft 365. This delegated administration is available to in-house IT, as well as partners and solution providers such as Managed Service Providers (MSPs).
With CoreView, you can segment your users pretty much any way you like—by location, business unit, department, and more. Once you have those user groups configured, you can grant a specific set of admin permissions to administrators who will ONLY be able to view and manage that specific subset of users. It’s that easy.
Failing to implement a strong “Least Privilege Principle” is not only against CISA recommendation, but can lead to compliance problems with ISO, SOC, GDPR and other industry security standards, where access should be limited as much as possible. Microsoft is not the end game here — CoreView enhances the limits and improve security.