About roles of Security Administrator, Compliance Administrator, Mailflow Administrator

%3CLINGO-SUB%20id%3D%22lingo-sub-2568903%22%20slang%3D%22en-US%22%3EAbout%20roles%20of%20Security%20Administrator%2C%20Compliance%20Administrator%2C%20Mailflow%20Administrator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2568903%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20who%20knows%20with%20those%20administrator%20roles%20can%20see%20customer's%20own%20personal%20informaiton%20data%20with%20company%20confidential%20information%20data%3F%3F%3C%2FP%3E%3CP%3ECustomer%20concerned%20about%20assignning%20those%20roles%20to%20specific%20users%20when%20considering%20the%20Personal%20Information%20Protection%20Act%20and%20EAR%20regulations.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2568953%22%20slang%3D%22en-US%22%3ERe%3A%20About%20roles%20of%20Security%20Administrator%2C%20Compliance%20Administrator%2C%20Mailflow%20Administrator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2568953%22%20slang%3D%22en-US%22%3EThe%20answer%20is%20yes.%20They%20all%20allow%20a%20certain%20level%20of%20insight%20into%20the%20data%2C%20maybe%20not%20directly%20data%20stored%20in%20a%20mailbox%20etc%2C%20but%20may%20still%20show%20high%20level%20information%20that%20can%20still%20contain%20PII.%20The%20role%20from%20your%20list%20that%20gives%20the%20broadest%20access%20to%20data%20is%20the%20Compliance%20Administrator.%20For%20example%2C%20the%20Compliance%20Administrator%20can%20do%20content%20searches%2C%20which%20can%20be%20done%20across%20various%20workloads%20and%20could%20return%20eg.%20emails%2C%20chats%2C%20OneDrive%20data%2C%20etc.%3CBR%20%2F%3E%3CBR%20%2F%3EMany%20companies%20of%20course%20state%20in%20their%20policies%20that%20company%20tools%20should%20only%20be%20used%20for%20company%20purposes%2C%20but%20at%20the%20same%20time%20local%20law%20might%20state%20that%20eg.%20a%20mailbox%20is%20considered%20%22private%22%20even%20if%20it's%20a%20business%20mailbox.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2569444%22%20slang%3D%22en-US%22%3ERe%3A%20About%20roles%20of%20Security%20Administrator%2C%20Compliance%20Administrator%2C%20Mailflow%20Administrator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2569444%22%20slang%3D%22en-US%22%3EThx.%20Pvanberlo%20's%20your%20reply%3CBR%20%2F%3EBut%20you%20mean%20all%20administrator%20roles%20which%20I%20mentioned%20before%20%2C%20Security%20Administrator%2C%20Compliance%20Administrator%2C%20Mailflow%20Administrator%20are%20showing%20high%20level%20information%20that%20can%20still%20contain%20PII.%3CBR%20%2F%3EOr%20only%20Compliance%20administrator%20do%20it%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThx%3C%2FLINGO-BODY%3E
Contributor

Hi, 

Anyone who knows with those administrator roles can see customer's own personal informaiton data with company confidential information data??

Customer concerned about assignning those roles to specific users when considering the Personal Information Protection Act and EAR regulations. 

 

Thx

4 Replies
The answer is yes. They all allow a certain level of insight into the data, maybe not directly data stored in a mailbox etc, but may still show high level information that can still contain PII. The role from your list that gives the broadest access to data is the Compliance Administrator. For example, the Compliance Administrator can do content searches, which can be done across various workloads and could return eg. emails, chats, OneDrive data, etc.

Many companies of course state in their policies that company tools should only be used for company purposes, but at the same time local law might state that eg. a mailbox is considered "private" even if it's a business mailbox.
Thx. Pvanberlo 's your reply
But you mean all administrator roles which I mentioned before , Security Administrator, Compliance Administrator, Mailflow Administrator are showing high level information that can still contain PII.
Or only Compliance administrator do it?

Thx
Compliance Administrator has the broadest access (due to the ability to do a content search).

It's probably best to have a look at the overview of permissions provided by each role for the others. For example, Mailflow Administrator provides the View-Only Recipients permission. This provides access to reports, which may contain information that could be considered PII, but it doesn't provide actual e-mail content for example.

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-secur...
How about Security Administrator is?
If I check that role can do only about activity or security policies , it looks only works not data but settings. How about your opinion?

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#compliance-admin...