Forum Discussion
Exchange/Azure AD higher risk security roles
Aside from organisation management, which other admin roles in Exchange Online (or AAD that grant access to manage aspects within ExO) would generally be considered the higher risk roles that should only ever be granted to authorised/senior email admins? There are tons of default roles available, but organisation management seems to have the most permissions out-of-the-box, I just wondered which other admin roles are generally considered 'higher risk' from a systems integrity/data protection perspective, so we can run some checks on current memberships. i.e. a 'top 5' higher risk admin roles.
Hi CRIB111,
Here are some of the higher risk admin roles in Exchange Online and Azure AD:Global Administrator: This role, the highest in Azure AD, empowers users to assign admin access, reset other administrators' passwords, and oversee critical functions.
User Administrator: With the ability to create and manage users and groups, as well as reset passwords, this role is essential for those handling user-related tasks.
Privileged Role Administrator: Recently introduced in Azure AD, this role streamlines the management of reports in Azure AD Identity Protection and Privileged Identity Management (PIM).
Security Administrator: Another new role in Azure AD, the Security Administrator simplifies the management and access to reports in Azure AD Identity Protection and PIM.
Security Reader: Designed for read-only access to security information and policies, this role provides a non-intrusive way to stay informed.
What's the difference between Azure roles and Azure AD roles? - Microsoft Community Hub
#AzureAD updated with new admin roles - Microsoft Community Hub
Best practices for Microsoft Entra roles - Microsoft Entra ID | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
3 Replies
Hi CRIB111,
Here are some of the higher risk admin roles in Exchange Online and Azure AD:Global Administrator: This role, the highest in Azure AD, empowers users to assign admin access, reset other administrators' passwords, and oversee critical functions.
User Administrator: With the ability to create and manage users and groups, as well as reset passwords, this role is essential for those handling user-related tasks.
Privileged Role Administrator: Recently introduced in Azure AD, this role streamlines the management of reports in Azure AD Identity Protection and Privileged Identity Management (PIM).
Security Administrator: Another new role in Azure AD, the Security Administrator simplifies the management and access to reports in Azure AD Identity Protection and PIM.
Security Reader: Designed for read-only access to security information and policies, this role provides a non-intrusive way to stay informed.
What's the difference between Azure roles and Azure AD roles? - Microsoft Community Hub
#AzureAD updated with new admin roles - Microsoft Community Hub
Best practices for Microsoft Entra roles - Microsoft Entra ID | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Thanks for the info. Out of interest, were an admin already logged into an account with Global Administrator permissions, and needed to perform so Exchange Online admin work, would they need to switch to an account with Organisation Mgmt permissions in Exchange, or does Global Admin essentially inherit all the admin permissions of each service specific (Exchange, SharePoint, Teams etc) admin roles such as Organisation Management?
Hi CRIB111,
thanks for the update.
Regarding your question, n a Microsoft 365 environment, including Exchange Online, the Global Administrator role essentially inherits permissions for all service-specific administrative roles, including Exchange, SharePoint, Teams, etc.
So, a user with Global Administrator permissions would have the necessary rights to perform Exchange Online administrative tasks and wouldn't need to switch to an account with Organization Management permissions specifically for Exchange tasks.
Global Administrator is a broad role that encompasses administrative capabilities across the entire Microsoft 365 suite. This includes Exchange Online, SharePoint Online, Teams, and other services.Permissions in Exchange Online | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
