SOLVED

Grant access to Security Administrators on Secure Score

Brass Contributor

Hi,

 

The Security & Compliance portal has a 'security administrator' role, why couldn't members of that role been granted access to Secure Score?

 

At least the same security team that looks after the compliances can also use the Secure Store.

 

 

Thank you,

Eduardo

15 Replies

I thought they already did. @Brandon Koeller should be able to confirm/deny.

Hey! Vasil's got it right. Any of the AAD-sourced admin roles (including Security Admin) is granted access to the Secure Score inclusive of the below (and sorry for the code framing...I'm being lazy):
/// The tenant admin role
/// </summary>
public const string TenantAdminRole = "TenantAdmin";

/// <summary>
/// The security admin role
/// </summary>
public const string SecurityAdminRole = "SecurityAdmin";

/// <summary>
/// The helpdesk administrator role
/// </summary>
public const string HelpdeskAdminRole = "HelpdeskAdmin";

/// <summary>
/// The exchange admin role
/// </summary>
public const string ExchangeAdminRole = "ExchangeAdmin";

/// <summary>
/// The share point admin role
/// </summary>
public const string SharePointAdminRole = "SharePointAdmin";

/// <summary>
/// The user account admin role
/// </summary>
public const string UserAccountAdminRole = "UserAccountAdmin";

Thanks! BK
It is not working on my tenant. I've added couple of people into the Security Admin group, they confirmed they can access the Security and Compliance portal but they got a 403, Access Denied, when browsing to Secure Score.

please note those users don't have any admin rights to SharePoint, Exchange, etc

Thanks,
Ed

Eduardo - did you get any further with delegating Secure Score portal access to accounts other than Global Administrators?

One of my colleagues has been working on Secure Score for the past few months as we use it for our security adoption and tracking. Not being able to follow "least privilege" principles in a sceutiy product is quite annoying and it would be good to understand if MS are going to address this

Paul

best response confirmed by VI_Migration (Silver Contributor)
Solution

Hey Gents,

The non-global-admin access has been in place since April 2017. Any users with admin roles are able to access the Secure Score experience, but will not be able to make changes unless that change is in scope for the admin role they are assigned. If you aren't seeing that behavior, please do escalate to Microsoft support so they can help get it resolved.

Thanks!

Brandon Koeller

@Brandon Koeller thanks for the information. Any plans to allow the "Security Reader" role the ability to view the data in the Secure Score portal? For example in our organisation we would like to be able to provide management a view on the state of compliance but don't want them to have admin rights . They could inadvertently change a setting with admin privileges but more importantly we don't want to contaminent an on-prem user identity  with access to email and the web having admin privileges in O365.

The other solution would be if you plan to produce a PowerBI content pack that consumes the data from Secure Score portal

Many thanks

Paul  

Hey Paul,
Thanks for the follow-up. Straight up, I didn't even realize there was a role in AAD called Security Reader. 🙂 I've added a task to our backlog to get this role added to the allow list. Thanks for the feedback!
Brandon Koeller

Hello, everyone

Did you manage to fix this? I'm having the same problem, I was appointed as a security admin yesterday, and have no way of seeing the secure score. 

Secure score website, brings me to the 403 error as well.

Any tips on how you got this working?

 

Thanks

Hi Brandon, Any news on the Security Reader role getting access to the Security Score pages?

+1 on having the Security Reader or Security Administrator role access to securescore without having the ability to modify settings.  I lead the InfoSec team and the system admins do not want my team to have modify access.   We are also getting the 403 "You are not an administrator for your tenancy. The Secure Score requires some kind of administrative role for access" error.   Is there a status?  Thanks!

@Brandon Koeller - adding another vote to allow 'Security Reader' to … um  … read … security … kind of sounds like what's it mean to do, huh?

 

I would absolutely love the ability visit https://securescore.office.com or see the data from a widget on https://protection.office.com without bothering my O365 Administrators. 

 

Can you please add these abilities to the 'Security Reader' role?

Hey Everyone, Apologies for the delayed response here. The Security Reader role now has access to the Secure Score (as of September, 2018). Thanks for the feedback!

Brandon Koeller

In my company's tenant, the two of us that just got Security Reader still can't see Secure Score.  Do you have any suggestions?

This article should be updated:

https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-secure-score

[You must be an Office 365 administrator, such as a global admin or security admin, to access Secure Score.]

 

There is no "Secure Score widget" in the Security & Compliance portal for "Security Reader" Role members. However, the M365 secure score can be accessed via https://securescore.microsoft.com.

This role also have access to the Identity Secure Score via https://portal.azure.com / Azure AD / Identity secure score.

@EduardoNZ 

I had the same issue (granting access to the secure score portal). Unfortunately i didn't found the answer here therefor I started troubleshooting.

Yes! Today I have found the solution.

Assigning the security reader rol will fix the issue but you should do that in azure portal rol assignments en not in the office 365 security & compliane / permissions.

It seams that these two section are not the same/ or not in synch.

 

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

Hey Gents,

The non-global-admin access has been in place since April 2017. Any users with admin roles are able to access the Secure Score experience, but will not be able to make changes unless that change is in scope for the admin role they are assigned. If you aren't seeing that behavior, please do escalate to Microsoft support so they can help get it resolved.

Thanks!

Brandon Koeller

View solution in original post