Forum Discussion

Brass Contributor

Apr 02, 2017

Solved

Grant access to Security Administrators on Secure Score

Hi, The Security & Compliance portal has a 'security administrator' role, why couldn't members of that role been granted access to Secure Score? At least the same security team that looks aft...

Brandon Koeller
Jun 27, 2017
Hey Gents,
The non-global-admin access has been in place since April 2017. Any users with admin roles are able to access the Secure Score experience, but will not be able to make changes unless that change is in scope for the admin role they are assigned. If you aren't seeing that behavior, please do escalate to Microsoft support so they can help get it resolved.
Thanks!
Brandon Koeller

VasilMichev

MVP

Apr 03, 2017

I thought they already did. BrandonKoeller should be able to confirm/deny.

BrandonKoeller

Microsoft

Apr 03, 2017

Hey! Vasil's got it right. Any of the AAD-sourced admin roles (including Security Admin) is granted access to the Secure Score inclusive of the below (and sorry for the code framing...I'm being lazy):
/// The tenant admin role
/// </summary>
public const string TenantAdminRole = "TenantAdmin";

/// <summary>
/// The security admin role
/// </summary>
public const string SecurityAdminRole = "SecurityAdmin";

/// <summary>
/// The helpdesk administrator role
/// </summary>
public const string HelpdeskAdminRole = "HelpdeskAdmin";

/// <summary>
/// The exchange admin role
/// </summary>
public const string ExchangeAdminRole = "ExchangeAdmin";

/// <summary>
/// The share point admin role
/// </summary>
public const string SharePointAdminRole = "SharePointAdmin";

/// <summary>
/// The user account admin role
/// </summary>
public const string UserAccountAdminRole = "UserAccountAdmin";

Thanks! BK

EduardoNZ
Brass Contributor
Apr 03, 2017
It is not working on my tenant. I've added couple of people into the Security Admin group, they confirmed they can access the Security and Compliance portal but they got a 403, Access Denied, when browsing to Secure Score.

please note those users don't have any admin rights to SharePoint, Exchange, etc

Thanks,
Ed
- Paul Bendall
  Iron Contributor
  Jun 27, 2017
  Eduardo - did you get any further with delegating Secure Score portal access to accounts other than Global Administrators?
  
  One of my colleagues has been working on Secure Score for the past few months as we use it for our security adoption and tracking. Not being able to follow "least privilege" principles in a sceutiy product is quite annoying and it would be good to understand if MS are going to address this
  
  Paul
  - Brandon Koeller
    Copper Contributor
    Jun 27, 2017
    Hey Gents,
    The non-global-admin access has been in place since April 2017. Any users with admin roles are able to access the Secure Score experience, but will not be able to make changes unless that change is in scope for the admin role they are assigned. If you aren't seeing that behavior, please do escalate to Microsoft support so they can help get it resolved.
    Thanks!
    Brandon Koeller