Blog Post

Microsoft 365 Blog
9 MIN READ

ADMIN - Security, Productivity, and Network Enhancements for Microsoft 365 Administrators

ScottSchnoll's avatar
ScottSchnoll
Icon for Microsoft rankMicrosoft
Nov 04, 2019

The Microsoft 365 admin center—admin.microsoft.com—is the hub of the Microsoft 365 ecosystem. As part of our ongoing efforts to improve your Microsoft 365 admin experience, we’ve made a variety of security, productivity, and networking enhancements in Microsoft 365 that we’re excited to share with you at Microsoft Ignite. Here’s a rundown of some of things we’re announcing and talking about in Orlando this week. At the end of this blog you’ll find links to the pages where after the event you can download the presentations and recordings of the sessions where all of this is covered.

 

User, Group and Role Management Improvements

You’ve given us feedback in a number of areas, and in response, we’ve added features that make it easier and more efficient to manage Microsoft 365 for your organization. Based on customer feedback, we added features that enable you to reduce the number of Global admins in your organization, identify least privileged roles, export and view role assignments, and much more.

 

Global reader role

You’ve told us that too many admin tasks require the use of the Azure Active Directory (Azure AD) Global administrator (Global admin) role. The Global admin role is the highest privileged role within Microsoft 365, and it’s the only role with access to all administrative functions in Azure AD and services that use Azure AD identities. It’s also an account type that is specifically targeted in attacks, and often compromised at twice the rate of other admin accounts. For this and other reasons, it’s a best practice to limit the number of Global admins within an organization; in fact, we recommend that you assign this role to fewer than 5 users in your organization.

 

To help increase your security posture by minimizing the use of the Global admin role, we’ve introduced new built-in Azure AD roles, including a Global reader role, which is a read-only counterpart to the Global admin role. And we’ve added support for the Global reader role to Microsoft 365 and in the Microsoft 365 admin center, allowing you to reduce the number of and burden on Global admins in your organization.

 

Unlike the Global admin role, which can be used to change all administrative settings, the Global reader role can only view these settings. Users with the Global reader role can read settings and administrative information across Microsoft 365 services, but they can't take any actions. This level of access means you can assign the Global reader role to users in your organization that need to support administrative functions, such as planning, audits, and investigations, without having to grant a higher level of privileges than is necessary. The Global reader role can also be combined with other administrative roles (for example, Exchange admin) to more finely control and scope the assignment of admin privileges in your organization.

 

Search, Compare, Export and Favorite Roles

You’ve told us that it’s difficult to identify the least privileged role needed for admin tasks, and that it can be time-consuming to understand what each admin needs to do and to find the right role for their tasks. When struggling to figure out what role to assign, some customers told us they gave up trying and just assigned the Global admin role to anyone who needs to perform any admin tasks.

We’ve added features to the Microsoft 365 admin center that help you overcome these challenges. We’ve enhanced the search capabilities to allow you to search across role names, descriptions, and permissions using a string match.

 

With the new Compare roles feature, you can select up to three roles to compare side-by-side in a table that shows the granular permissions included in each role.

 

Figure 1 – Search across and compare roles in the Microsoft 365 admin center

 

Figure 2 - Comparing Application admin and Application developer roles

 

By comparing different roles, you can quickly find the least permissive role to assign. You can also search across the selected roles to find and compare specific permissions.

 

Figure 3 - Searching for delete permissions in compared roles

 

Using the Export option shown above, you can export the role comparison to a CSV file.

 

Figure 4 - Export role comparison to CSV

 

The Roles page now allows you to favorite the roles that align best to your organization’s specific job functions.  You can filter the displayed list of roles by Favorites, making these more readily available to you.

 

Figure 5 - Filtered view of roles that have been favorited

 

User Templates

You’ve told us that creating multiple users with the same settings can be frustrating and time-consuming. To help streamline user management, we added user templates on the Active users page that allow you to quickly add new users with shared attributes, such as:

 

  • Domain and password settings;
  • Location, license and app assignments; and
  • Admin role assignments and profile info.

Templates are particularly useful if you have users who share many properties, like those who work in the same role and the same location. There are two ways to add a new template. You can add one from the Active users page or, when you add a new user, you can save these settings for that user as a template.

 

Figure 6 - User templates available on the Active users page

 

For more information, see New to admin center: Templates for adding users faster.

 

Office 365 Groups

We made a number of enhancements to Office 365 Groups, which power collaboration across Microsoft 365 by enabling users in your organization to share knowledge and information using email, calendaring, documents and more. These enhancements include support for sensitivity labels, activity-based renewal and expiration, the addition of the Groups administrator role in Azure Active Directory, and more.

 

Office What’s New management preview

You told us that you want the ability to control communication of new Office features to your users. We added new capabilities that put you in control of your users’ experience with the What’s New section of the Office desktop app Help pane. As we announced at Ignite, these capabilities are currently in preview, and we plan to make them generally available early next year.

 

Figure 7 - What's New in the Help panel of the Office client

 

You can hide or show What’s new content on Office client apps as relevant to your organization. ​When an important ‎Office‎ feature is released, users will get a "What's new" card about it. If you don't want users to see the card, you can hide it. You can also choose when you'd like users to see the card by showing it.

 

Figure 8 - Hiding and showing What's new for Office apps items

 

New experiences in the Microsoft 365 admin center

We made several changes to the Setup page that enable you to discover, learn, and activate features across Microsoft 365. For example, we added new AI-powered and contextual recommendations based on your current configuration and activities, and for reducing costs by enabling self-service features. We also added recommendations for increasing protection from risks and threats, maintaining compliance with data regulations, migrating data, and deploying and updating Office apps.

 

Figure 9 – New experiences in Microsoft 365 admin center

 

When you click View for a recommendation, you’ll see that each one includes details about the recommended feature, including what the feature does and why it is recommended, at-a-glance information that is specific to the recommendation, and details on how users may be affected by the implementation of the feature.

 

Figure 10 - Viewing a recommendation in the Microsoft 365 admin center

 

If a recommended feature has not yet been implemented, and you have been assigned the appropriate admin role, you can click Get Started to begin the implementation process. If the feature has been implemented, you can click Manage to view and configure the feature.

 

Figure 11 - Blade showing users with Security administrator role

 

Using the Global reader role to access the Microsoft 365 admin center is a powerful and more secure way to perform planning and auditing activities for Microsoft 365, as a Global reader can view and assess the recommendations, learn about implementation steps and user impact, and see current administrative assignments without making any tenant or configuration changes.

 

Figure 12 - Viewing recommendations as a Global reader

 

Report an Issue

We are adding a powerful new crowd sourcing solution to report issues from the Service health dashboard in the Microsoft 365 admin center. If you are impacted by an issue that is not yet shown on your Service health dashboard, the new “report an Issue” feature will provide you with a quick and easy way to let us know about the problem. This feature is a direct input to the engineering teams and helps us identify broadly impacting issues.  All you need to do is to click on “Report an Issue” button and provide some basic information about the issues you are experiencing. Based on the correlation of the signal across tenants, we will be able to start our investigation immediately, and the richer context enables more accurate detection and faster resolution.

 

Figure 13 – Reporting an issue in Service Health Dashboard

 

Network performance insights

We announced a preview program for network performance insights and a network score in the Microsoft 365 admin center. A significant factor that determines the quality of the Office 365 user experience is network reliability and low latency between Office 365 clients and Office 365 service front doors. Microsoft measures network performance between client applications and our cloud servers to help plan and operate our services. These measurements are now being used to provide network architecture design insights that are shown in the network performance page on the Microsoft 365 admin center. Network insights show recommended network architecture design changes and the network score shows how network connectivity impacts user experience which allows comparison of how well different user location connections are designed for Office 365 network traffic. For complete details, see Enterprise network connectivity and network performance measurement in the Microsoft 365 Admin Center.

 

Office 365 networking partner program

We announced a set of partnerships to help you build and optimize your network solutions for the best Office 365 experience. We created the Office 365 Networking Partner Program to help align our partner ecosystem around key principles for optimal connectivity. The program enables us to deepen our collaboration with network partners that natively build Office 365 networking connectivity principles into their networking products and solutions. For more information, see Office 365 announces new network connectivity innovations and partnerships.

 

Azure Cloud Shell integration

We announced that Azure Cloud Shell, which enables you to manage your resources from an authenticated, browser-based, interactive PowerShell experience, is now available within the Microsoft 365 admin center. The Exchange Online and the Teams modules are currently available for use, and more experiences are coming in the future.

 

Ignite recap

So far we’ve only scratched the surface of the Microsoft 365 admin experience improvements we shared at Ignite. There’s so much more goodness to talk about, so read What's new in the Microsoft 365 admin center, and check out these Ignite sessions using the following links.

 

Learning Path Sessions

  • ADM10 - Onboarding and setup: Getting the most out of Microsoft 365
  • ADM20 - Addressing top management issues with users and groups
  • ADM30 - Incident communications at cloud-scale: How Microsoft 365 is improving when things go wrong
  • ADM40 - Using analytics to maximize your Microsoft 365 value
  • ADM50 - Managing across tenant boundaries in Office 365

Breakout Sessions

  • BRK2056 - Embrace Office 365 Groups: What's new and what's next
  • BRK2058 - Deploy Office 365 groups at scale to power Microsoft Teams, Outlook, Yammer, and SharePoint
  • BRK2059 - Data residency with Office 365 datacenters
  • BRK2060 - What's new in Microsoft 365 admin center
  • BRK2210 - Finding your collaboration sweet spot with Office 365 Groups, SharePoint, Teams, and Yammer
  • BRK2300 - Leveraging data and intelligence for admin experiences in Microsoft 365
  • BRK3041 - Role-based access control in Microsoft 365: Improve your operations and security posture
  • BRK3264 - Transform collaboration and fight shadow IT with Office 365 groups
  • BRK3304 - Admin experiences across Microsoft 365: Roundtable topics
  • BRK3304R - Admin experiences across Microsoft 365: Roundtable topics Repeat

Theater Sessions

  • THR1129 - Microsoft 365 Ask Us Anything session
  • THR2091 - Master sharing and permissions of Office 365 in 20 minutes
  • THR2116 - Microsoft 365 admin center demo-fest: Crash course on latest and greatest management tools
  • THR2251 - How Microsoft empowers employees through self-service collaboration while still protecting the company in Office 365
  • THR2283 - What's new for Microsoft 365 admins
  • THR3043 - Microsoft Teams and Office 365 Groups PowerShell MasterClass
  • THR3083 - Office 365 Groups: Ask us anything
  • THR3084 - Microsoft 365 admin: Ask us anything
  • THR3085 - Microsoft 365 network performance testing, scoring, and recommendations
Updated May 06, 2021
Version 3.0
  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    The message center still needs better searching and filtering. Searching only finds items on the current tab, i.e. dismissed messages are not found unless you are on that tab. There is no way to see all of the messages for a specific workload, it would be very helpful to be able to filter by workload/app/service, just like we can on the roadmap.

  • Thanks very much for the feedback, Dean_Gross!  I know you can use Preferences to show/hide different workloads, but I agree that it would be very useful to have all workloads shown, and then use Filter to filter by workload.  I'll be sure to pass this on to the admin center team.