Tutorial / Cram Notes
Managing roles in Microsoft 365 Admin Center is a critical task for ensuring effective administration and security of your Microsoft 365 environment. It involves assigning the appropriate permissions to users or groups within an organization to perform various administrative functions. In the context of the MS-100 Microsoft 365 Identity and Services exam, it is essential to understand the various roles and how to assign them appropriately.
Roles in Microsoft 365 are divided into several categories based on the level of administration they provide:
- Global administrator: This role has access to all administrative features in Microsoft 365. It’s the highest level of administrator role and should only be assigned to a limited number of people in an organization.
- Custom administrator roles: These include more granular roles like Billing Administrator, User Administrator, Exchange Administrator, SharePoint Administrator, and more. Individuals assigned to these roles can only manage features specific to their role.
- Directory roles: These roles are related to Azure Active Directory and include roles such as Application Administrator, Cloud Application Administrator, Password Administrator, and more.
- Privileged role administrator: Can manage role assignments in Azure AD, and manage access to administrative roles in M365 admin center.
To manage these roles in the Microsoft 365 admin center, follow these steps:
- Access the Microsoft 365 admin center: You need to sign in with an account that has admin permissions.
- Navigate to role management: Go to the “Roles” section to see a list of all available roles.
- Assign roles: To assign a role to a user, you can search for the user, select them, and then choose ‘Manage roles’. Here, you can assign or remove roles as needed.
- Create a custom role: In case you need a role that doesn’t exist, you can create custom roles with specific permissions in the Azure AD admin center.
Here’s an example of the steps involved in assigning a role:
- Navigate to the Roles page in Microsoft 365 admin center.
- Select the role you wish to assign, for instance, ‘Exchange Administrator’.
- Click ‘Assign roles’.
- Search and select the user or users you wish to assign this role to.
- Review and finish the assignment.
To help understand role assignments at a glance, you may use a table like this:
User | Assigned Role | Permissions | Scope |
---|---|---|---|
John Doe | Exchange Administrator | Manages mailboxes, anti-spam policies, etc. | Exchange Online only |
Jane Smith | User Administrator | Manages user accounts, resets passwords, etc. | All services |
Bob Johnson | Billing Administrator | Manages subscriptions, purchasing, billing info, etc. | Billing only |
Best Practices for Role Management:
- Assign roles based on the principle of least privilege, ensuring that users have only the access they need to perform their job.
- Regularly review role assignments and adjust as necessary, especially when users change roles within the company or leave the organization.
- Consider using role groups to manage permissions for teams or departments more efficiently.
- Utilize Azure AD Privileged Identity Management (PIM) to manage, control, and monitor access within your organization by providing just-in-time access for certain roles.
Understanding how to manage roles effectively in Microsoft 365 is imperative for any professional preparing for the MS-100 exam. It ensures you have the necessary knowledge to maintain a secure and well-organized Microsoft 365 environment.
Practice Test with Explanation
True/False: In the Microsoft 365 admin center, you can assign roles to users on a per-service basis.
- True
Explanation: In the Microsoft 365 admin center, you can assign roles to users on a per-service basis, enabling them to manage specific services.
True/False: A Global administrator in Microsoft 365 has fewer privileges than a Billing administrator.
- False
Explanation: A Global administrator has the highest level of privileges, including all the privileges of a Billing administrator and more.
True/False: Custom roles can be created within the Microsoft 365 admin center.
- False
Explanation: Custom roles cannot be created within the Microsoft 365 admin center; you can only use the predefined roles. Custom role creation is possible in Azure AD, not directly in Microsoft
Multiple Select: Which of the following are built-in roles in Microsoft 365? (Select all that apply)
- A) Global administrator
- B) Compliance administrator
- C) Human resources manager
- D) Teams administrator
A, B, D
Explanation: Global administrator, Compliance administrator, and Teams administrator are built-in roles in Microsoft Human resources manager is not a built-in role.
Single Select: Who has the ability to assign roles to other users in Microsoft 365?
- A) Any user in the organization
- B) Global administrators only
- C) Users with the User management administrator role
- D) Users with any administrative role
B
Explanation: Global administrators have the ability to assign roles to other users. Other administrative roles may have limited abilities to assign roles.
True/False: Role assignment in Microsoft 365 can be temporary and have an expiration date.
- True
Explanation: Though not directly through the Microsoft 365 admin center, using Privileged Identity Management (PIM) in Azure AD, roles can be assigned on a temporary basis with an expiration date.
Single Select: The “Reports reader” role in Microsoft 365 is used to:
- A) Generate financial reports
- B) Manage service requests
- C) Read service usage reports
- D) Read email content
C
Explanation: The “Reports reader” role allows a person to read service usage reports in Microsoft
True/False: You need to be a Global administrator to reset passwords for all users in Microsoft
- False
Explanation: Users with the Password administrator role can also reset passwords for non-administrative users.
True/False: A “User management administrator” can delete a Global administrator account.
- False
Explanation: A “User management administrator” cannot delete a Global administrator account; this task requires Global administrator privileges.
Single Select: To view and manage service health and maintenance status, which role is required?
- A) Service support administrator
- B) Global administrator
- C) Service administrator
- D) Helpdesk administrator
C
Explanation: Service administrator role can view service health and manage maintenance status in the admin center.
Multiple Select: Which role(s) have permissions to manage service requests in Microsoft 365? (Select all that apply)
- A) Helpdesk administrator
- B) Global administrator
- C) Service administrator
- D) User management administrator
B, C
Explanation: Both Global administrators and Service administrators have permissions to manage service requests in Microsoft Helpdesk and User management administrators do not inherently have this permission.
True/False: You can use the Microsoft 365 admin center to manage roles for Dynamics 365 and other Microsoft business applications.
- True
Explanation: You can manage roles for various Microsoft services including Dynamics 365 via the Microsoft 365 admin center, provided those services are part of your Microsoft 365 subscription.
Interview Questions
What is the Azure AD role-based access control model?
The Azure AD role-based access control model is a system that manages access to resources by assigning users and groups to roles, which determine the actions they can perform on the resources.
What is the difference between role assignments and role definitions in Azure AD?
Role definitions are a blueprint of the permissions and actions associated with a specific role, while role assignments are the actual mapping of users or groups to the roles.
How can you manage Azure AD roles using the Azure portal?
You can manage Azure AD roles using the Azure portal by navigating to the Azure AD directory, selecting “Roles and administrators” under “Security”, and then managing role assignments for built-in or custom roles.
How do you assign a role to a user in the Azure portal?
To assign a role to a user in the Azure portal, select the user, click on “Assigned roles”, click “Add assignments”, select the role, and then click “Add”.
What is the difference between directory roles and application roles in Azure AD?
Directory roles are built-in roles that manage access to Azure AD resources and services, while application roles are specific to a particular application and define what users can do within the application.
How can you assign an application role to a user in Azure AD?
You can assign an application role to a user in Azure AD by navigating to the Enterprise applications section, selecting the application, clicking “Users and groups”, selecting the user, and then assigning the appropriate application role.
What is Azure AD Privileged Identity Management (PIM)?
Azure AD Privileged Identity Management is a service that enables administrators to manage, control, and monitor access to resources within Azure AD.
How can you assign just-in-time access to a role in Azure AD PIM?
To assign just-in-time access to a role in Azure AD PIM, you need to create a role assignment policy, specify the role and its duration, select the users or groups who are allowed to activate the policy, and then activate the policy.
What is the PowerShell cmdlet for getting role assignments in Azure AD?
The PowerShell cmdlet for getting role assignments in Azure AD is Get-AzureADDirectoryRoleMember.
What is the PowerShell cmdlet for creating a custom role in Azure AD?
The PowerShell cmdlet for creating a custom role in Azure AD is New-AzureADMSRoleDefinition.
I found that managing roles in Microsoft 365 Admin Center was quite intuitive, but I had some trouble understanding the specific permissions each role entails.
For the MS-100 exam, it’s crucial to know the difference between Admin and User roles and their limitations.
Can someone explain the concept of Privileged Identity Management (PIM) in the context of Microsoft 365?
Appointing the right person for each role is crucial in avoiding potential security risks.
The Global Admin role has too much power. It’s best to limit this role to just a couple of users.
Thanks for the post!
Role-based access control (RBAC) is essential for any large organization using Microsoft 365. Exam MS-100 really hammers this point home.
Make sure to understand the least-privilege principle when setting up roles. It will be on the exam.