Technical requirements- Microsoft SC-400 Certification

In this chapter, we continue to explore the configuration of information protection within Microsoft 365. There will be an exercise that will require access to the Microsoft 365 compliance center with Global Administration rights. If you have followed the exercise from the previous chapters, you should by now have the relevant trial licenses; however, if you have not yet created this for Microsoft 365, please follow the instructions from Chapter 1, Preparing for Your Microsoft Exam and SC-400 Exam Objectives.

Identifying roles and permissions for administering sensitivity labels

It is important to give members of the IT administration team the relevant permissions to allow them to create and manage sensitivity labels within the Microsoft 365 compliance center and, in some cases, from the older Security & Compliance Center.

All global admins can administer both the compliance center and the Security & Compliance Center by default. They can then assign the relevant permissions to the compliance officer or any other user without granting them access to the entire tenant. There are three roles to which you can add users that will grant them the relevant permissions to access both the Microsoft 365 compliance center and the older Security & Compliance Center:

  • Compliance Data Administrator role group
  • Compliance Administrator role group
  • Security Administrator role group

There is also an alternative option to using the standard roles, which is to create a new role group and add the Organization Configuration or the Sensitive Label Administrator roles to the new group. If you want to grant the new group read-only access, then you would need to use the Sensitivity Label Reader role.

In this section, we have explained the names of the different role groups you can assign to a user to grant them access to the compliance center. The following section of this chapter will describe the part played by Role-Based Access Control (RBAC).

Security & Compliance Center permissions

The RBAC model is utilized by the Security & Compliance Center, which is also used by Exchange Online. Therefore, if you are familiar with Exchange permissions, giving permissions in the Security & Compliance Center will be very familiar to you.

Please remember that role groups in Exchange Online and the Security & Compliance Center do not share permissions or membership. However, both do have an Organization Management role group. You can find a list of compliance center role groups by navigating to Permissions & roles > Azure AD roles from within the Microsoft 365 compliance center, as shown in the following screenshot:

Figure 5.1 – Compliance center roles and permissions

Relationship between roles, members, and role groups

Three permission elements work together and form a relationship with regard to access rights:

  • A Role gives permissions to perform specific set tasks. An example of this would be the “Case Management” role, which allows users to operate eDiscovery.
  • A Role Group is a number of specific roles that enable users to do their jobs within the Security & Compliance Center.
  • A Member is an individual user who can be added or assigned to the default role groups.

Figure 5.2 – Role, member, and role group relationship

Now that you understand the relationship between roles, members, and role groups, we will take a closer look at the specific role groups that are available within the Microsoft Security and Compliance Center and what features they give to members.

Leave a Reply

Your email address will not be published. Required fields are marked *