cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Security Operator, but can add to TABL

SKadish
Brass Contributor

‎Feb 15 2024 08:26 AM

‎Feb 15 2024 08:26 AM

Security Operator, but can add to TABL

I currently have the Entra ID Security Operator PIM role activated, and I am able to add email addresses to the TABL, as well as managing Anti-Spam and Anti-Phishing policies.  In the past, I've needed to be a Security Administrator to do this.  Has something changed?  If not, could this be an unintended consequence of me activating the MDO workloads for Unified RBAC?

315 Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by SKadish (Brass Contributor)
Gregory_Wilson3468

‎Feb 21 2024 06:56 AM

‎Feb 21 2024 06:56 AM

Solution

Re: Security Operator, but can add to TABL

@SKadish 

According to the documentation you need to be a member in one of these role groups:

Exchange Online permissions:
 1. Organization Management or Security Administrator

 2. Security Operator (Tenant AllowBlockList Manager)

 

Entra ID permissions:

 Global Admin, Security Admin, Global Reader, Security Reader

 

Gregory_Wilson3468_0-1708527306643.png

Allow or block email using the Tenant Allow/Block List | Microsoft Learn

 

My impression here is that because of the unified RBAC model this role had to be modified to work. 

 

Hope this helps.

 

G.

 

1 Like
Reply
SKadish

‎Feb 21 2024 11:22 AM

‎Feb 21 2024 11:22 AM

Re: Security Operator, but can add to TABL

Hi Gregory,

Thanks very much. I think that you are right and that the role was modified. It's strange that a Global Reader would be able to add items to the TABL, and I need to test this. As for Security Operator, I'm using the Entra ID role, but not the Exchange Online role.

I appreciate the help!
0 Likes
Reply
Gregory_Wilson3468

‎Feb 21 2024 11:26 AM

‎Feb 21 2024 11:26 AM

Re: Security Operator, but can add to TABL

Glad to help! Could ask a favor? If you feel this is the best answer, can you mark it as best answer?
0 Likes
Reply
SKadish

‎Feb 21 2024 01:32 PM

‎Feb 21 2024 01:32 PM

Re: Security Operator, but can add to TABL

Sure. I did test the Entra Global Reader role, and it doesn't have the rights to manually add addresses to the TABL (which is as it should be.)
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by SKadish (Brass Contributor)
Gregory_Wilson3468

‎Feb 21 2024 06:56 AM

‎Feb 21 2024 06:56 AM

Solution

Re: Security Operator, but can add to TABL

@SKadish 

According to the documentation you need to be a member in one of these role groups:

Exchange Online permissions:
 1. Organization Management or Security Administrator

 2. Security Operator (Tenant AllowBlockList Manager)

 

Entra ID permissions:

 Global Admin, Security Admin, Global Reader, Security Reader

 

Gregory_Wilson3468_0-1708527306643.png

Allow or block email using the Tenant Allow/Block List | Microsoft Learn

 

My impression here is that because of the unified RBAC model this role had to be modified to work. 

 

Hope this helps.

 

G.

 

View solution in original post

1 Like
Reply