Forum Discussion

Bedrich Chaloupka's avatar
Bedrich Chaloupka
Copper Contributor
Sep 10, 2018
Solved

Security & Compliance Center RBAC vs Azure AD admin roles

Please is there any clear documentation (mapping) of what is relation between AAD admin roles and the Security & Compliance Center (SCC) RBAC roles? In both admin centers is possible to add someone a...
microsoft 365
security
  • Bedrich Chaloupka's avatar
    Bedrich Chaloupka
    Sep 13, 2018

    Well it is even more complex. Microsoft's documentation says that the Global admin is automatically added as member of Organization Management role in SCC, but if you open SCC Admin site as Global admin you will see different management options then if you just add somebody to the Organization Management role in SCC. The same happens with Compliance Administrator, Security Administrator or Reader, which are AAD admin roles as well as SCC admin roles.

VasilMichev's avatar
VasilMichev
MVP
Sep 10, 2018

There is a difference between a Role Group (what EAC and the SCC use) and Roles, as used by the Azure AD, as the formed can be customized. In a nutshell though, assigning a user with one of those roles in AAD should add him to the relevant Role Group in the SCC, so they should give the same set of permissions.

 

The AAD roles are documented in details here, down to the individual permission entry: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Some additional information about the SCC roles can be found here: https://docs.microsoft.com/en-us/office365/securitycompliance/permissions-in-the-security-and-compliance-center?redirectSourcePath=%252farticle%252fPermissions-in-the-Office-365-Security-Compliance-Center-d10608af-7934-490a-818e-e68f17d0e9c1

  • broonster's avatar
    broonster
    Copper Contributor
    Nov 21, 2021

    I've read those documents a few time now and still don't see the difference and/or crossover between AAD role and Compliance Centre roles.

  • Bedrich Chaloupka's avatar
    Bedrich Chaloupka
    Copper Contributor
    Sep 11, 2018

    Thank you for your response. You are completely correct that the AAD admin roles should add the individual to relevant SCC role and provide same set of permissions, but it obviously does not work like that. The set of given permissions is different and the individual even does not appear in the members list of any of the SCC admin roles.  

    • VasilMichev's avatar
      VasilMichev
      MVP
      Sep 11, 2018

      That's the point, he doesn't need to appear there. Much like you don't see all your Global admins listed as members of each Role Group in EAC/SCC. Instead, you see the "placeholder" groups such as "TenantAdmins_c25d1" or "SecurityAdmins_-417435872".

      • VasilMichev's avatar
        VasilMichev
        MVP
        Sep 11, 2018

        Actually, it turns out the SCC groups do NOT include the "placeholder" groups such as TenantAdmins.

         

        Here's a comparison between the EAC Role Group:

         

        Get-RoleGroupMember "Organization Management"

Name               RecipientType
----               -------------
TenantAdmins_c25d1 Group

        And the SCC role group:

         

        Get-RoleGroupMember OrganizationManagement

Name         RecipientType
----         -------------
Vasil Michev MailUser

        So yeah, you have to add them manually.

Resources