Office 365 Permissions (Azure Active Directory Roles)
Overview
This document outlines Azure Active Directory roles which enable Zilla Admin to perform Office 365 Permissions Access Reviews utilizing specific Azure Active Directory Roles relating to the Office 365 suite of Saas Applications.
In this guide you will learn:
Which specific Azure Active Directory Roles exist relating to Office 365 SaaS cloud applications.
How to define and view Office 365 Privileged roles within the context of Azure Active Directory within the Zilla product.
How to run a privileged Access Review campaign for Office 365 using the Azure AD instance in Zilla.
Roles and Groups in Office 365
Roles and Groups in Office 365 are managed by assigning Office 365 specific Azure Active Directory Roles and Permissions.
Office 365 specific Admin roles such as “Exchange Administrator”, or “Teams Administrator” can be assigned to users in Azure AD who will be responsible for these Office 365 Applications.
An access review for Office 365 applications is performed within the context of an Azure Active Directory Role Based review.
An Azure Active Directory Global Administrator has all rights to manage Office 365 applications.
Exchange Online (Email and Collaboration)
Microsoft Exchange Online is the hosted version of Microsoft Exchange messaging service. Administrators login to the Exchange Admin Center to Manage the email system.
Common Exchange Online specific Azure Active Directory roles for which Zilla Access Reviews will review:
Global Administrator (Can manage entire system)
Exchange Administrator (Can Manage all aspects of the Exchange Online product)
Exchange Recipient Administrator (Can create or update Exchange Online recipients within the Exchange Online organization.
Hybrid Identity Administrator (Can Manage Hybrid AD to AAD provisioning, Azure AD Connect, and Exchange Server and Exchange Online Hybrid federation settings.
A Zilla Role Based access review of Azure Active Directory reveals the privileged permissions for Exchange Online.
SharePoint Online
Microsoft provides with SharePoint online a collection of cloud based web technologies that are used to store, share, and manage digital information.
SharePoint allows collaboration with external vendors or customers.
The Azure Active Directory Role “SharePoint Administrator” allows for full access management to all aspects of the SharePoint service.
A Zilla Role Based access review of Azure Active Directory reveals the privileged permissions for SharePoint Online.
Microsoft Intune
Microsoft Intune is a cloud-based service that provides Mobile Device Management and Mobile Application Management. The Azure Active Directory Role “Intune Administrator” can manage all aspects of Microsoft Intune.
A Zilla Role Based access review of Azure Active Directory reveals the privileged permissions for Microsoft Intune.
Microsoft Teams
A Zilla Role Based access review of Azure Active Directory reveals the privileged permissions for Microsoft Teams.
Privileged Access Review Office 365 in Zilla
The Zilla Administrator can run an Office 365 PAR Review for Office 365 Admin permissions within the context of an Azure Active Directory Access Campaign.
Campaign below named “Privileged Access Review Office 365” is created and is configured to only target AAD Roles that provide Office 365 Admin permissions such as “Exchange Administrator”.
Once the campaign is run the assigned reviewer will see the Admin permissions as shown below and will make the appropriate review decision.