Role Required for M365 Management

[Charles F Sullivan]

For someone to fully manage M365, it appears that the Global Admin Azure AD role is required. Am I correct, or is there a way to get more granular? Is more information needed for an answer?  

--

Charlie Sullivan

Principal Windows Systems Administrator

[Orlebeck, Geoffrey]

I think that depends on how you define “fully manage”. There are areas of M365 where the Global Admin role does not have permissions, though GA would let you assign the relevant role(s) that can access those areas.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzznz5EB%2BxEyWrsq%2Beitquf5X-6j15t98i6G1MpU8%3DaTCLw%40mail.gmail.com.

Confidentiality Notice: This is a transmission from Montage Health. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.

[Charles F Sullivan]

My concern is more like the reverse of that. We are hoping there are more granular ways to give a small number of users the ability to manage M365. 

Management is hoping to remove these users from the Global Admin role. So far from what I'm reading they would need that role, but I'm hoping someone here can confirm.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/DM4PR14MB57180F124A4AAC06EB502E2BFFF2A%40DM4PR14MB5718.namprd14.prod.outlook.com.

[Michael B. Smith]

To the best of my knowledge, EVERYTHING can be delegated.

 

What specific activity(ies) lead you to believe otherwise?

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzks_3-UBRJ6t_o9JeJoGrSwnkyPK2ANkkgEJ6yVpu4qWg%40mail.gmail.com.

[Charles F Sullivan]

This is an example of the kind of thing I keep coming up with:

https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide#commonly-used-microsoft-365-admin-center-roles

“Assign the Global admin role to users who need global access to most management features and data across Microsoft online services.”

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6b4ab0ca03a34e01a019bc6e1966cda7%40smithcons.com.

[Michael B. Smith]

That’s exactly like writing “if you are lazy and don’t want to chase down specific required permissions, assign domain admin to users who need global access to most AD and on-prem services”.

 

There are other ways.  😊

 

That’s why I asked if you had a specific activities you had not been able to delegate.

 

Thanks.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzn4H0KVD0ci0%3DHWBg1%2BGoMsCGvt89tO48dCeBa5C4mEzQ%40mail.gmail.com.

[Randy Hollenbeck]

Not using Global Admin to administer M365.  They will not be able to make site wide (global) changes

Roles needed:

Authentication Administrator

Exchange Administrator

License Administrator

SharePoint Administrator

Teams Administrator

User Administrator

Need user and license to add licenses

Need Authentication Administrator to turn on and off MFA (will not be able to turn on/off any admin including themseleves)

If you want to configure MFA for non-admin users, only use Authentication Administrator role and if you want to configure MFA for all users including admin users, use Privileged Authentication Administrator role.

To give additional access that are not listed, https://go.microsoft.com/fwlink/p/?linkid=2097861 

1. In the admin center, go to Roles -> Role assignments.  Choose the Azure AD, Exchange, Intune or Billing tab to view the admin roles available for your organization.

After adding verify by looking at the user and permissions by the Roles

https://admin.microsoft.com/AdminPortal/Home?#/users

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6b4ab0ca03a34e01a019bc6e1966cda7%40smithcons.com.

[Charles F Sullivan]

Randy, I think that's exactly what I was looking for. We won't be using Teams, SharePoint or Exchange, so I should be able to put those aside. Much appreciated!

Michael, I agree with your point. That's why I didn't want to just assume there wasn't a better way.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CABuyKb5bbn6ujWoP9aDv8AZCUv%3DgufkqiJZCEHaKCRi3Gs8cDA%40mail.gmail.com.