365 security roles and data protection

%3CLINGO-SUB%20id%3D%22lingo-sub-2146208%22%20slang%3D%22en-US%22%3E365%20security%20roles%20and%20data%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2146208%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWhich%20specific%20roles%20and%2For%20permissions%20in%20a%20365%20tenant%20would%20allow%20the%20user%2C%20where%20granted%2C%20the%20ability%20to%20view%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-all%20Mailbox%20content%20for%20all%20users%2Fmailboxes%2C%20e.g.%20view%20the%20content%20of%20their%20inbox%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E-all%20SharePoint%20content%20across%20the%20system%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI%20appreciate%20there%20are%20the%20obvious%2C%20e.g.%20'SharePoint%20administrator%2C%20'Exchange%20administrator'%2C%20'Global%20administrator'%20etc%2C%20but%20I%20want%20to%20be%20sure%20there%20are%20no%20others%20that%20could%20easily%20be%20missed%20if%20working%20purely%20off%20default%20roles%20and%20permissions.%20In%20many%20other%20platforms%20there%20are%20ways%20of%20assigning%20specific%20privileges%20to%20custom%20roles%20which%20can%20purposely%20or%20inadvertently%20grant%20access%20to%20sensitive%20data%2C%20and%20therefore%20knowing%20of%20those%20specifics%2C%20and%20checking%20who%20has%20been%20granted%20those%20would%20be%20very%20useful.%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EOut%20of%20interest%2C%20does%20the%20global%20reader%20role%2C%20even%20though%20supposedly%20intended%20as%20a%20read%20only%20representation%20of%20the%20global%20admin%20account%20have%20'global%20read%20access'%20within%20the%20various%20Microsoft%20services%2C%20e.g.%20can%20view%20user%20data%20within%20Exchange%20mailboxes%2C%20SharePoint%20sites%20etc.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2146208%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esharepoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Which specific roles and/or permissions in a 365 tenant would allow the user, where granted, the ability to view:
-all Mailbox content for all users/mailboxes, e.g. view the content of their inbox?
-all SharePoint content across the system

I appreciate there are the obvious, e.g. 'SharePoint administrator, 'Exchange administrator', 'Global administrator' etc, but I want to be sure there are no others that could easily be missed if working purely off default roles and permissions. In many other platforms there are ways of assigning specific privileges to custom roles which can purposely or inadvertently grant access to sensitive data, and therefore knowing of those specifics, and checking who has been granted those would be very useful. 

Out of interest, does the global reader role, even though supposedly intended as a read only representation of the global admin account have 'global read access' within the various Microsoft services, e.g. can view user data within Exchange mailboxes, SharePoint sites etc. 

1 Reply

None of the default roles can access content within mailboxes, you need to specifically grant Full Access permissions for that, or use tools such as eDiscovery. For SPO, you will have access to the default site collection, but that can be adjusted as needed. If you need additional details, run a search online - this is a fairly common question and there are lots of articles discussing it.