Oct 21 2019
Learn to Love Office 365 Role-Based Access Control
Office 365 comes with a wealth of administrator roles, roughly 22 different ones, such as Exchange or License Administrator. It looks great on the surface, and for small shops with simple use cases, the native Office 365 admin center and role delegation work relatively well.
But as smaller shops grow, or enterprises of any substance adopt the cloud-based suite, the native Office 365 Admin Center console wears thin. Nowhere is this truer than with delegating admin access – even if you use Admin Center-based access control (RBAC) with its 20-plus roles. When Office 365 installations grow large, managing administrative access becomes not just a bear – but a security crater as well.
The native admin delegation tool in Office 365 is simply too blunt, lacking the granularity in giving rights large shops need. IT pros who thought their lives would be easier with a cloud suite find themselves mired in endless administrations tasks, trying fruitlessly to give admins and users the exact level of visibility they need. Frustrated, IT often gives up, simply assigning all admins the same broad global permissions. Too many people with too much permission opens gaping holes in the network.
The Office 365 Admin Center is a least common denominator style tool, not built to handle the demands of distributed enterprise deployments. Large organizations are, in essence, a group of separate, geographically dispersed entities, each with its own needs – not served well by a one size fits all, centralized, globally-based administrative structure. Instead, enterprises need local or regional administrators to handle day-to-day administration tasks that are carefully suited to the exacting needs of the local user base.
In contrast, the native Office 365 Admin Center focuses on providing global admin rights, giving admins who tend to work locally too much power and privileges they do not need. This centralized management model of setting privileges with Office 365 entirely relies on granting “global admin rights” — even to regional, local, or business unit administrators. There is simply no facility for setting up regional and other geographic-based rights. Nor can you easily set up rights based on business unit, country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly so they can only perform limited and specific functions, such as changing passwords when requested.
Any IT pro worth their salt recoils at granting a local or departmental IT administrator global rights. This is simply not the way modern enterprises are structured and no way to properly secure the environment.
Meanwhile, making everyone who needs a decent level of access a full administrator means there are too many people with full access to the Office 365 environment. Do not forget. IT pros are people too, and the more folks that have high-level access, the more chance these privileges are abused.
The biggest cause of data breaches is hacking, and the way most hacks succeed is through compromised credentials. In the Verizon 2019 Data Breach Investigations Report, 80% of all hacking-based breaches exploited weak or compromised credentials. Moreover, 29% of all breaches, including all attack types, relied on stolen credentials. If an admin’s credentials are cracked, the hacker has full run of the environment – leading to the worst breaches of all.
A proper approach to Office 365 permissions and privileges is partitioning permissions based on roles through RBAC, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your Office 365 environment.
So What Exactly does RBAC Mean?
IT administrators have long been charged with controlling who can do what with which applications and resources. Admins themselves are subject to these same rules – they are given a set of permissions that are hopefully in the right measure for their job.
These same scenarios now apply to cloud applications, and are ever more important since these applications and the data they contain are accessible from most anywhere.
While many admin rights give blanket permissions, properly applied RBAC grants admins the specific rights they need for their roles, while denying them others. In the context of Office 365, these roles may be based on the specific applications managed, such as SharePoint, Exchange, Skype, etc. Within Microsoft defined roles, the permissions beyond basic application management can be somewhat granular task-wise, but this fine-tuning often requires a lot of manual work and sometimes scripting through PowerShell. Even so, they are still not tunable to only cover specific user groups.
Ironically, while Office 365 is a suite of applications, roles and privileges cannot be defined the same way for all its constituent parts. Instead, IT pros must know the process for each application, and manually set up permission rules and settings based on the capabilities and level of trust for each administrator, and then apply them. This is time consuming to set up, and difficult to maintain.
Enter the SaaS Management Platform (SMP)
As enterprises moved to SaaS to ease infrastructure burdens and offer application access no matter where users are, the immense burden of managing and securing these applications began to negate some of their benefits. This led to a new class of solutions highlighted late last year in a Gartner Report — the SaaS Management Platform (SMP). Included in this category are Office 365 management solutions.
Learn more about SMP by reading the “The SaaS Management Platform (SMP): A ‘Single Pane of Glass’ to Make SaaS Management More Secure, Streamlined & Cost-Effective” whitepaper available here.
Going Beyond the Office 365 Admin Center
A good Office 365 RBAC management solution turns setting role-based rights from a hassle into a joy, saving IT staff time and effort, increasing security, and boosting end user satisfaction through better IT service.
The right RBAC management tool offers a consistent, granular, efficient and automated way to set roles and privileges across the entire Office 365 environment.
CoreView and RBAC Are the Answer to Your Office 365 Delegation Problems
CoreView was designed in the trenches by a Microsoft Gold partner and solution provider to improve the manageability and security for its large base of Office 365 clients.
Today, the CoreView set of solutions such as CoreAdmin and CoreSuite, offer a single pane of glass to create, control, and delegate admin permissions across the entire Office 365 set of applications. Instead of using the Microsoft Office 365 Admin Center console, CoreView uses a single Global Administrator account, and then has the CoreView portal grant more granular permissions to administrators within the CoreView hierarchy.
As mentioned before, the Microsoft Admin Center has different, sometimes vastly different approaches to setting permissions for Office 365. CoreView shields your IT group from all that. They need not know how the different Microsoft implementations of RBAC work to control access to all the applications in your Office 365 tenant.
Using a simple, intuitive interface, CoreView lets IT segment the Office 365 tenant in myriad ways — for example, by department, business unit, or location. After these groups are set up, IT can dive deeper, using CoreView’s RBAC capabilities to define specific permissions for administrators who then can only perform certain tasks and only against a specific subset of users.
With CoreView, IT can take the entire organization served by Office 365 and break it into logical groups, or subtenants, perhaps based on Active Directory (AD) attributes. Once the organization is logically divided, regional admins can be assigned to the sub-tenants.
This granular control over permissions carries over to reporting. Here, both the central IT group and regional admins can get reports on what is happening with the local users in the sub-tenant. This level of detail is critical for compliance audits, spotting trends, and troubleshooting.
CoreView further allows you to fine-tune what actions each admin can perform, and which reports they can see. Instead of using the Office 365 Admin Center, your administrators simply log into the CoreView portal. Here, they are limited to making changes only to their assigned users, and can only perform actions they are specifically assigned.
These admins can even be restricted from logging into the native Office 365 Admin Center. Meanwhile, designated global IT administrators can delegate control over the management interface, defining access to reports, custom PowerShell scripts and common admin functions.
The RBAC Payoff
Since Office 365 by default only gives global administrative permissions, most shops rely on their expert, and highly paid IT staff in the central office to handle the administrative heavy lifting. Help desk staffers working locally often have to escalate problem solving to the central office, slowing resolution and raising costs.
In contrast, proper use of RBAC increases IT productivity by empowering more local administrators — saving time and money. In fact, The National Institute of Standards and Technology in its ‘Economic Analysis of Role-Based Access Control’ study found that a 10,000-person company saves some $24,000 in IT labor, and another $300,000 a year from reduced worker downtime every year through RBAC.
Meanwhile, delegating Office 365 admin responsibilities to those closer to the end users results in less micromanaging from the central office, and greater Office 365 uptime across the organization.
CoreView found that a company with 10,000 employees could save 950 hours of administration time per year, at a projected savings of $45,600 a year – just by properly using RBAC to set Office 365 admin permissions.
CoreView further estimates that the work of an entire full-time administrator can be saved, and redeployed to a more strategic function, through the overall management efficiencies offered by CoreView solutions, including moving more admin tasks to regional admins and help desk personnel.
Learn Everything That’s Wrong With Your Office 365 Environment
The Free CoreView Office 365 Health Check Finds:
- How Many Licenses Are Inactive
- What Services Are Barely Touched
- How Many Files Are Shared Dangerously
- How Many Users Have Admin Rights
- Where Security and Compliance Problems Lay
And What To Do About It!
The customized Office 365 Health Check Action Plan saves money, boosts end user productivity, secures Office 365, and automates common admin tasks — taking Office 365 management to the next level. This sample report is based on an actual customer, tracking two weeks’ of usage data. If you have any questions, please contact us.
Get your report here.
Learn More about Taming Office 365 through RBAC
Learn more about Office 365 administration with a CoreView demo.
For more information about admin roles, check out our RBAC for Office 365 blog.
Find out how to make your cloud environment more efficient by reading our Opportunities for Office 365 Cost Savings white paper.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.