SOLVED
Home

Security & Compliance Center RBAC vs Azure AD admin roles

%3CLINGO-SUB%20id%3D%22lingo-sub-250924%22%20slang%3D%22en-US%22%3ESecurity%20%26amp%3B%20Compliance%20Center%20RBAC%20vs%20Azure%20AD%20admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250924%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EPlease%20is%20there%20any%20clear%20documentation%20(mapping)%20of%20what%20is%20relation%20between%20AAD%20admin%20roles%20and%20the%20Security%20%26amp%3B%20Compliance%20Center%20(SCC)%20RBAC%20roles%3F%20In%20both%20admin%20centers%20is%20possible%20to%20add%20someone%20as%20member%20of%20Security%20Administrator%2C%20Security%20Reader%2C%20Compliance%26nbsp%3BAdministrator%20and%20other%20roles%2C%20but%20the%20administrative%20features%20set%20available%20in%20the%20SCC%20is%20different%20based%20on%20whether%20the%20role%20was%20assigned%20in%20AAD%20or%20in%20SCC.%20I%20know%20the%20roles%20have%20same%20names%20and%20different%20purpose%2C%20but%20obviously%20the%20AAD%20admin%20roles%20enable%20some%20admin%20features%20in%20SCC%2C%20but%20different%20than%20expected.%20Did%20not%20find%20this%20anywhere%20documented%20except%20a%20not%20that%20Global%20admin%20gets%20automatically%20Organization%20Management%20role%20in%20SCC.%20This%20looks%20quite%20chaotic.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-250924%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAdmin%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252139%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20Center%20RBAC%20vs%20Azure%20AD%20admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252139%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20it%20is%20even%20more%20complex.%20Microsoft's%20documentation%20says%20that%20the%20Global%20admin%20is%20automatically%20added%20as%20member%20of%20Organization%20Management%20role%20in%20SCC%2C%20but%20if%20you%20open%20SCC%20Admin%20site%20as%20Global%20admin%20you%20will%20see%20different%20management%20options%20then%20if%20you%20just%20add%20somebody%20to%20the%20Organization%20Management%20role%20in%20SCC.%20The%20same%20happens%20with%20Compliance%20Administrator%2C%20Security%20Administrator%20or%20Reader%2C%20which%20are%20AAD%20admin%20roles%20as%20well%20as%20SCC%20admin%20roles.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251356%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20Center%20RBAC%20vs%20Azure%20AD%20admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251356%22%20slang%3D%22en-US%22%3E%3CP%3EActually%2C%20it%20turns%20out%20the%20SCC%20groups%20do%20NOT%20include%20the%20%22placeholder%22%20groups%20such%20as%20TenantAdmins.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20a%20comparison%20between%20the%20EAC%20Role%20Group%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EGet-RoleGroupMember%20%22Organization%20Management%22%0A%0AName%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20RecipientType%0A----%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20-------------%0ATenantAdmins_c25d1%20Group%3C%2FPRE%3E%0A%3CP%3EAnd%20the%20SCC%20role%20group%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EGet-RoleGroupMember%20OrganizationManagement%0A%0AName%20%20%20%20%20%20%20%20%20RecipientType%0A----%20%20%20%20%20%20%20%20%20-------------%0AVasil%20Michev%20MailUser%3C%2FPRE%3E%0A%3CP%3ESo%20yeah%2C%20you%20have%20to%20add%20them%20manually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251344%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20Center%20RBAC%20vs%20Azure%20AD%20admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251344%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20the%20point%2C%20he%20doesn't%20need%20to%20appear%20there.%20Much%20like%20you%20don't%20see%20all%20your%20Global%20admins%20listed%20as%20members%20of%20each%20Role%20Group%20in%20EAC%2FSCC.%20Instead%2C%20you%20see%20the%20%22placeholder%22%20groups%20such%20as%20%22TenantAdmins_c25d1%22%20or%20%22SecurityAdmins_-417435872%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251101%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20Center%20RBAC%20vs%20Azure%20AD%20admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251101%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3Bfor%20your%20response.%20You%20are%20completely%20correct%20that%20the%20AAD%20admin%20roles%20should%26nbsp%3Badd%20the%20individual%26nbsp%3Bto%20relevant%20SCC%20role%20and%20provide%20same%20set%20of%20permissions%2C%20but%20it%20obviously%20does%20not%20work%20like%20that.%20The%20set%20of%20given%20permissions%20is%20different%20and%20the%20individual%20even%20does%20not%20appear%20in%20the%20members%20list%20of%20any%20of%20the%20SCC%20admin%20roles.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250934%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20Center%20RBAC%20vs%20Azure%20AD%20admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250934%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20a%20difference%20between%20a%20Role%20Group%20(what%20EAC%20and%20the%20SCC%20use)%20and%20Roles%2C%20as%20used%20by%20the%20Azure%20AD%2C%20as%20the%20formed%20can%20be%20customized.%20In%20a%20nutshell%20though%2C%20assigning%20a%20user%20with%20one%20of%20those%20roles%20in%20AAD%20should%20add%20him%20to%20the%20relevant%20Role%20Group%20in%20the%20SCC%2C%20so%20they%20should%20give%20the%20same%20set%20of%20permissions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20AAD%20roles%20are%26nbsp%3Bdocumented%20in%20details%20here%2C%20down%20to%20the%20individual%20permission%20entry%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ESome%20additional%20information%20about%20the%20SCC%20roles%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fpermissions-in-the-security-and-compliance-center%3FredirectSourcePath%3D%25252farticle%25252fPermissions-in-the-Office-365-Security-Compliance-Center-d10608af-7934-490a-818e-e68f17d0e9c1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fpermissions-in-the-security-and-compliance-center%3FredirectSourcePath%3D%25252farticle%25252fPermissions-in-the-Office-365-Security-Compliance-Center-d10608af-7934-490a-818e-e68f17d0e9c1%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015861%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20Center%20RBAC%20vs%20Azure%20AD%20admin%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015861%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F99316%22%20target%3D%22_blank%22%3E%40Bedrich%20Chaloupka%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%26nbsp%3BI%20was%20about%20to%20post%20a%20similar%20question%20based%20on%20days%20of%20trying%20to%20figure%20this%20out.%20So%2C%20thank%20you%20for%20already%20discussing%20this%20in%20advance!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wanted%20to%20create%20a%20Role%20Group%20in%20the%20SCC%20for%20Records%20Managers%20to%20create%20and%20manage%20retention%20policies%20and%20manage%20dispositions.%20The%20two%20roles%20that%20appear%20(on%20the%20face%20of%20it)%20to%20allow%20this%20are%20'Retention%20Management'%20and%20'Disposition%20Management'%20as%20well%20as%20'RecordManagement'%2C%20which%20role%20doesn't%20seem%20to%20do%20anything.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20also%20need%20the%20records%20managers%20to%20have%20the%20ability%20to%20search%20the%20audit%20logs%2C%20now%20that%20these%20have%20vanished%20from%20SPO.%20So%20I%20added%20the%20'Audit%20Logs'%20role.%20However%2C%20this%20gives%20access%20to%20a%20whole%20bunch%20of%20additional%20options%20that%20I%20don't%20want%20the%20records%20manager%20to%20have.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20either%20of%20you%20seen%20a%20matrix%20that%20defines%20what%20section%2Foption%20appears%20for%20each%20specific%20role%3F%20Or%20a%20script%20that%20can%20produce%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20another%20inconsistent%20experience%20is%20that%3A%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20you%20grant%20the%20user%20an%20Admin%20role%20from%20the%20EAC%2C%20they%20see%20the%20'Admin'%20app%20in%20Office.com%2C%20and%20from%20there%20can%20get%20to%20the%20SCC%20portal.%26nbsp%3B%3C%2FLI%3E%3CLI%3EIf%20grant%20the%20user%20the%20same%20role%20in%20the%20SCC%20(but%20not%20in%20the%20EAC)%2C%20they%20don't%20get%20the%20'Admin'%20app%20but%20can%20access%20the%20SCC%20portal.%20This%20means%20they%20have%20to%20be%20told%20the%20SCC%20URL%20to%20get%20to%20it.%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Bedrich Chaloupka
New Contributor

Please is there any clear documentation (mapping) of what is relation between AAD admin roles and the Security & Compliance Center (SCC) RBAC roles? In both admin centers is possible to add someone as member of Security Administrator, Security Reader, Compliance Administrator and other roles, but the administrative features set available in the SCC is different based on whether the role was assigned in AAD or in SCC. I know the roles have same names and different purpose, but obviously the AAD admin roles enable some admin features in SCC, but different than expected. Did not find this anywhere documented except a not that Global admin gets automatically Organization Management role in SCC. This looks quite chaotic.

6 Replies

There is a difference between a Role Group (what EAC and the SCC use) and Roles, as used by the Azure AD, as the formed can be customized. In a nutshell though, assigning a user with one of those roles in AAD should add him to the relevant Role Group in the SCC, so they should give the same set of permissions.

 

The AAD roles are documented in details here, down to the individual permission entry: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

Some additional information about the SCC roles can be found here: https://docs.microsoft.com/en-us/office365/securitycompliance/permissions-in-the-security-and-compli...

Thank you for your response. You are completely correct that the AAD admin roles should add the individual to relevant SCC role and provide same set of permissions, but it obviously does not work like that. The set of given permissions is different and the individual even does not appear in the members list of any of the SCC admin roles.  

That's the point, he doesn't need to appear there. Much like you don't see all your Global admins listed as members of each Role Group in EAC/SCC. Instead, you see the "placeholder" groups such as "TenantAdmins_c25d1" or "SecurityAdmins_-417435872".

Actually, it turns out the SCC groups do NOT include the "placeholder" groups such as TenantAdmins.

 

Here's a comparison between the EAC Role Group:

 

Get-RoleGroupMember "Organization Management"

Name               RecipientType
----               -------------
TenantAdmins_c25d1 Group

And the SCC role group:

 

Get-RoleGroupMember OrganizationManagement

Name         RecipientType
----         -------------
Vasil Michev MailUser

So yeah, you have to add them manually.

Solution

Well it is even more complex. Microsoft's documentation says that the Global admin is automatically added as member of Organization Management role in SCC, but if you open SCC Admin site as Global admin you will see different management options then if you just add somebody to the Organization Management role in SCC. The same happens with Compliance Administrator, Security Administrator or Reader, which are AAD admin roles as well as SCC admin roles.

Highlighted

@Bedrich Chaloupka @Vasil Michev  I was about to post a similar question based on days of trying to figure this out. So, thank you for already discussing this in advance!

 

I wanted to create a Role Group in the SCC for Records Managers to create and manage retention policies and manage dispositions. The two roles that appear (on the face of it) to allow this are 'Retention Management' and 'Disposition Management' as well as 'RecordManagement', which role doesn't seem to do anything. 

 

But I also need the records managers to have the ability to search the audit logs, now that these have vanished from SPO. So I added the 'Audit Logs' role. However, this gives access to a whole bunch of additional options that I don't want the records manager to have. 

 

Have either of you seen a matrix that defines what section/option appears for each specific role? Or a script that can produce this? 

 

Also, another inconsistent experience is that:

  • If you grant the user an Admin role from the EAC, they see the 'Admin' app in Office.com, and from there can get to the SCC portal. 
  • If grant the user the same role in the SCC (but not in the EAC), they don't get the 'Admin' app but can access the SCC portal. This means they have to be told the SCC URL to get to it. 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Discussion - Updating our interface with Fluent touches
Elliot Kirk in Discussions on
102 Replies