SOLVED

Secure Score Admin roles

%3CLINGO-SUB%20id%3D%22lingo-sub-294086%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294086%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20everything%20in%20the%20tool%20available%20for%20users%20with%20that%20roles%20granted%3F%3CBR%20%2F%3EOr%20do%20you%20need%20any%20kind%20of%20specific%20lincense%20for%20extra%20functions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279270%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279270%22%20slang%3D%22en-US%22%3E%3CP%3EPerfect.%3C%2FP%3E%3CP%3EFor%20the%20record%2C%20the%20option%20of%20%22...%3CSPAN%3E%3CSTRONG%3Egrant%20the%20user%20Security%20Reader%20rights%20via%20Azure%20AD%3C%2FSTRONG%3E...%22%20also%20worked.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279268%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279268%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Tony%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20roles%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExchange%20Administrator%3C%2FLI%3E%0A%3CLI%3EGlobal%20Administrator%3C%2FLI%3E%0A%3CLI%3ESecurity%20Administrator%3C%2FLI%3E%0A%3CLI%3ESecurity%20Reader%3C%2FLI%3E%0A%3CLI%3ESharePoint%20Administrator%3C%2FLI%3E%0A%3CLI%3ESkype%20for%20Business%20Administrator%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWe%20are%20looking%20to%20add%20the%20Teams%20Administrator%20to%20the%20list%20in%20the%20future%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277898%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277898%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20elaborate%20specifically%20on%20which%20of%20the%20above-mentioned%20are%20%22workload%22%20besides%20Exchange%20and%20SharePoint%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277519%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277519%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Tony%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20user%20needs%20to%20be%20a%20workload%20(Exchange%2C%20SharePoint%2C%20etc)%20admin%20or%20have%20a%20security%20role.%26nbsp%3B%20You%20might%20want%20to%20grant%20the%20user%20Security%20Reader%20rights%20via%20Azure%20AD%20to%20see%20if%20that%20meets%20their%20needs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20other%20option%20is%20to%20leverage%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FUpdates-to-Microsoft-Secure-Score-New-API-and-Localization%2Fba-p%2F239550%22%20target%3D%22_self%22%3ESecure%20Score%20API%3C%2FA%3E%20and%20build%20out%20a%20dashboard%20in%20Power%20BI%20or%20another%20tool%20to%20show%20them%20just%20the%20data%20they%20need.%26nbsp%3B%20There%20are%20some%20YouTube%20videos%20%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2Fvg3QKQWVD6Y%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2FHLELpJsB1Yw%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20that%20might%20help%20with%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277099%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277099%22%20slang%3D%22en-US%22%3E%3CP%3EI%20read%20the%20same%20article%20and%20assumed%20that%20Custom%20Administrator%20%2F%20Reports%20Reader%20would%20give%20the%20access.%26nbsp%3B%20My%20user%20is%20telling%20me%20it's%20not%20working.%26nbsp%3B%20Is%20there%20a%20definitive%20list%20of%20which%20Custom%20Administrators%20should%20get%20access%3F%26nbsp%3B%20Here's%20the%20possibilities%3A%3C%2FP%3E%3CUL%3E%3CLI%3EBilling%20administrator%3C%2FLI%3E%3CLI%3EDynamics%20365%20service%20administrator%3C%2FLI%3E%3CLI%3ECustomer%20Lockbox%20access%20approver%3C%2FLI%3E%3CLI%3EExchange%20administrator%3C%2FLI%3E%3CLI%3EPassword%20administrator%3C%2FLI%3E%3CLI%3ELicense%20administrator%3C%2FLI%3E%3CLI%3ESkype%20for%20Business%20administrator%3C%2FLI%3E%3CLI%3EMessage%20Center%20reader%3C%2FLI%3E%3CLI%3EPower%20BI%20service%20administrator%3C%2FLI%3E%3CLI%3EReports%20reader%3C%2FLI%3E%3CLI%3EService%20administrator%3C%2FLI%3E%3CLI%3ESharePoint%20administrator%3C%2FLI%3E%3CLI%3EUser%20management%20administrator%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-253889%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253889%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20Office%20365%20are%20three%20option.%20User%2C%20Global%20administrator%20or%20Customized%20administrator%2C%20which%20provides%20list%20of%20different%20admin%20roles%20available%20to%20manage%20services%20within%20Office%20365.%20I%20believe%20that%20the%20reference%20in%20the%20document%20is%20to%20the%20Customized%20administrator%20option%20in%20the%20Office%20365%20admin%20center%20user%20management.%20However%20not%20all%20the%20Customized%20administrator%20roles%20have%20access%20to%20the%20Secure%20Score.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-46023%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-46023%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20%3CEM%3ECustom%20Admin%20Roles%3C%2FEM%3E%20in%20this%20context%20is%20referring%20to%20an%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FAssign-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eadmin%20role%3C%2FA%3E%20that%20is%20something%20other%20than%20Global%20Admin%20(e.g.%20Exchange%20Online%20Admin%2C%20SharePoint%20Online%20Admin%2C%20etc.).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-45824%22%20slang%3D%22en-US%22%3ESecure%20Score%20Admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-45824%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20FAQ%20at%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FIntroducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%23faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FIntroducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%23faq%3C%2FA%3E%20states%20that%20%22custom%20admin%20roles%22%20can%20access%20the%20Secure%20Score%20site.%26nbsp%3B%20Does%20anyone%20know%20what%20this%20means%3F%20does%20it%20mean%20%22service%20admins%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20the%20best%20of%20my%20knowledge%20we%20cannot%20create%20custom%20admin%20roles.%20Am%20I%20unaware%20of%20another%20new%20unnannounced%20feature%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-45824%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Office%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Respected Contributor

The FAQ at https://support.office.com/en-us/article/Introducing-the-Office-365-Secure-Score-c9e7160f-2c34-4bd0-... states that "custom admin roles" can access the Secure Score site.  Does anyone know what this means? does it mean "service admins"?

 

To the best of my knowledge we cannot create custom admin roles. Am I unaware of another new unnannounced feature?

 

 

8 Replies

I believe Custom Admin Roles in this context is referring to an admin role that is something other than Global Admin (e.g. Exchange Online Admin, SharePoint Online Admin, etc.).

In Office 365 are three option. User, Global administrator or Customized administrator, which provides list of different admin roles available to manage services within Office 365. I believe that the reference in the document is to the Customized administrator option in the Office 365 admin center user management. However not all the Customized administrator roles have access to the Secure Score.

I read the same article and assumed that Custom Administrator / Reports Reader would give the access.  My user is telling me it's not working.  Is there a definitive list of which Custom Administrators should get access?  Here's the possibilities:

  • Billing administrator
  • Dynamics 365 service administrator
  • Customer Lockbox access approver
  • Exchange administrator
  • Password administrator
  • License administrator
  • Skype for Business administrator
  • Message Center reader
  • Power BI service administrator
  • Reports reader
  • Service administrator
  • SharePoint administrator
  • User management administrator

Hi Tony,

 

The user needs to be a workload (Exchange, SharePoint, etc) admin or have a security role.  You might want to grant the user Security Reader rights via Azure AD to see if that meets their needs.

 

The other option is to leverage the Secure Score API and build out a dashboard in Power BI or another tool to show them just the data they need.  There are some YouTube videos here and here that might help with this.

Can you elaborate specifically on which of the above-mentioned are "workload" besides Exchange and SharePoint?

Best Response confirmed by Tony Derricott (Frequent Contributor)
Solution

Hi Tony,

 

The roles are:

  • Exchange Administrator
  • Global Administrator
  • Security Administrator
  • Security Reader
  • SharePoint Administrator
  • Skype for Business Administrator

We are looking to add the Teams Administrator to the list in the future

Perfect.

For the record, the option of "...grant the user Security Reader rights via Azure AD..." also worked.

Is everything in the tool available for users with that roles granted?
Or do you need any kind of specific lincense for extra functions?