1. Understanding Role Based Administration
Let’s now talk about the concepts of assigning roles. Before we dive into roles, I’d like to point out that when it comes to environment security and access control, which is where we’re going with this, you’re trying to grant privileges and give access to resources.
And there have been different strategies over the years, going all the way back to the paper-based days where they had to assign rights over documents, determining who could open a file or see a file in hard copy, and all of that. Well, essentially these same methods that were used back in the paper-based days have sort of made their way into the digital world as well. There were three main models that were made years ago. The first was called Mac Mandatory Access Control, which is all about giving access based upon the level of security clearance you had in an organization. So, if you think about the military having secret and top secret military DoD, having classification labels, and so on, that’s an example of the Mac model, or the Mandatory Access Control model. There’s another model called DAC, which stands for discretionary access control, and it involves giving access based on ownership.
So if you are the owner of something, you can give access based upon that. All right? So it’s sort of like how we have groups in the Microsoft 365 environment, and we have owners of those groups, and owners of groups can put people in other groups. It’s sort of an example of that. And then the Mac model actually involves things like sensitivity labels in Microsoft 365. So actually, Microsoft 365 Azure uses both of those models. Well, there’s actually a third model, and this third model is called RBAC, or role-based access control.
And this is exactly what I’m here to explain to you quickly. So RBAC is the main model that is used for giving out administrative control or administrative roles. As a result, in Azure and Microsoft 365, your users begin as regular Joes. If they are someone who is supposed to have administrative privileges, you can then assign them administrative privileges. Okay? So our back-end role-based access control is all about basically having this thing called a role. A role is an object that assigns privileges to our users in our Azure and Microsoft 365 environments. So, for example, if you are the one who started your subscription, you are called the global administrator. And that is the most powerful role you can have. As I always like to joke, you have intergalactic cosmic powers over your tenant if you are the global administrator role.
However, there are other roles that grant different rights that you can give depending on whether you’re trying to administer Exchange, SharePoint, or any of the other services, and you get into things like Intune. All these different services have roles associated with them. And what happens is you assign your user group to the role, and then at that point you have been given rights to those users, right? And that’s the idea. And the concept here is to make sure that the privileges that a user is given are very well documented and very well controlled. And I think Microsoft has done a really good job in conjunction with that. When they created roles, they definitely followed a method that I think was a lot better than the way it was back in the on-premise days with Active Directory.
The problem you ran into with the on-premises ActiveDirectory was that you would create groups, which essentially were meant to sort of be like roles in a way. You could create a group that had a bunch of privileges. The problem was that there was nothing that really tracked what those groups could do. You could create a group, add people to it, and assign that group to 50,000 different things in your environment—different servers and files—but nothing really tracked what all the privileges that particular group had. So you’re going to find that with our previous Microsoft roles, everything is very well documented. So, when you go look at your role, you can see every privilege it has, as well as everyone who has been granted it. Another feature that’s really great with RBAC is that you have a thing called PIM, which is known as “privileged identity management,” which allows you to essentially do something called “just-in-time administration,” which is really cool.
And the goal here, when it comes to this sort of thing, is that you’re trying to utilise something known as the principle of least privilege. Isn’t the principle of least privilege to always give out the fewest rights while still allowing someone to do their job? So if you’re an administrator over just teams, you’re the teams administrator, and then I’m not going to make you the global administrator, right? I’m not going to give you too many rights if you’re just the exchange administrator, and you’re not supposed to have access to SharePoint and all of that. I’m going to make you an exchange administrator if you’re just the person who manages SharePoint. I want to do that. I want to give you SharePoint administrative privileges, but not too many privileges. And for big companies, that’s especially important.
You have a lot of administrators, and it can get really tricky to keep track of everything people can do if we don’t have a very well organised system such as what we have with RBAC, or role-based access Access Control.Speaking of PIM, again, this privileged identity management, one of the great things you get with Just-in-Time Administration is the ability for a user to temporarily gain power if necessary. This is really great because—let me give you an example. Let’s say I’m going out of town. Maybe I’m the head administrator for something and I need to delegate temporary authority, perhaps over teams or something. So I’m going to be going on vacation, and I’ve got a junior administrator that needs to be able to get in there and do some administration stuff while I’m gone, or may need to do administration stuff while I’m gone. Maybe the person doesn’t. But you know what I can do?
I can use PIM to basically say, “Okay, this junior administrator can gain access to this particular role for just the next seven days or whatever.” And so if the person needs the privilege, they can get it temporarily; they can get it and use it. And the other great thing is that it will expire. So there’s no forgetting to remove the privilege or any of that. After the week is up, it’ll just automatically go arily; theyThat is one of the wonderful aspects of Pin. Another advantage of this is that they are audited. Everything they do is being audited. So you have a great way to sort of just check the log to see what they did. Okay, but essentially, that is what RBAC is. That’s the general understanding of what RBAC is. And now you should be ready to jump into roles and take a look at the different roles that matter in regards to what we’re looking at here.
2. Assigning Microsoft Teams Admin Roles
Okay, so let’s now take a look at the different admin roles that we have involving teams. OK, so here we are in admin dot Microsoft.com, also known as portal dot Microsoft.com. Now if you look over here to the left, you may not see roles show up, but if you click “Show All,” you should be able to see the little roles right here. So you can then click that blade. And then, instead of scrolling down to the list of roles here, you can probably just search for the wordteams, and you should see your roles. Keep in mind that sometimes it’ll be kind of collapsed and minimised so that it only shows one or two roles, and then you can click “Show All” and it’ll show all the roles here. So here are your different roles. Now I want to show you that Microsoft has a really good knowledge base article on what all these roles do. It’s even more detailed than what you get just looking at it here. So I’d like to quickly open that. Simply type “Teams admin roles” into Google, and you’ll find it right here, in this very first article. So if you click on this article, it gives you a nice breakdown of the roles.
So we’ll take a look at those. The other thing you’re going to notice is that when they list these out, they sort of list them out from most powerful to least powerful, okay? The most powerful role in faras teams is team administration. You have the team service administrator, and they basically tell you that as a team service administrator, you can do everything as far as teams go. You can manage the team service and create Microsoft 365 Groups, manage meetings, and manage the voice side of things. Calling policies, messaging policies, and the wide settings involving teams manage themselves and organise themselves. Manage team-certified devices. You can view their user profiles, troubleshoot problems, and call them. You can access the Teams AccessMonitor reports and troubleshoot your tenant’s call quality. You can publish apps through the app catalog. There are just a lot of things there. You can do pretty much anything you want involving teams. The Teams Communications administrator is listed below that. So this is for managing the calling-in features of team meetings.
So you can manage meetings, including the meeting policies. Voice calling policies, phone numbers, inventories, and assignments can all be managed. You can view their profile, troubleshoot, and call quality, as well as connect to the team’s public switch telephone network. That’s the PSTN block user report. You can track, troubleshoot, and improve call quality. So that’s sort of a step down. and you can tell by its name. If you just think about its name, this kind of helps you wrap your brain around it. Team Communications Administrator Okay, whereas this first one is the team services administrator. That’s the whole service. This is for communications. You’ve also got teams, communications, support, and engineering. Okay, so this is one step down, and this is somebody who is going to be able to troubleshoot communication issues with teams. And they can also use advanced tools. You have some other tools you can utilize—third-party tools, things like that—that can be utilised for trying to be able to provide support for communication. So you have to view the user profile and troubleshoot call quality.
You can use the call quality dashboard to monitor and troubleshoot tenant call quality. This is where you use your advanced tools. And then, lastly, we have the team’s communication support specialist. All right, so this is another step down. Here is the final step. So you can access the user profile page, troubleshoot calls, access analytics, view some of your user information, and assess monitoring and troubleshoot tenant call quality using the call quality dashboard, but you don’t get access to the full scope of features like you do with the team’s communication support engineer. So you’ll notice here that you have access to advanced tools as a team’s communication support engineer, but with the specialist, you just get access to basic tools. The only other thing I want to mention here is that if you ever want to control some of the stuff, you still have to use the PowerShell for Business module for some of the commands.
We talked about that in one of our previous lessons, getting access to that and then also PowerShell for Microsoft Teams, and then the Teams Admin Center is also going to be where you’ll manage stuff for one of these roles. Okay? All right, so if we jump back over to the portal here, another thing you can do to look at these roles is you can click on one of them, like “team service admin,” and it gives you some information here on what it can do. You can click on “assigned admins” and see who’s been assigned, which at this point is nobody. And then you can click Permissions and see all the permissions that you have. So this is one of the things I really love about roles in Microsoft: they’re really good about showing you the permissions that the roles actually have. So I can see these different permissions. Here is what you can manage, create, delete, modify, and read. And you can do that with each one of these.
So I can click on the support specialist and see their permissions, the support engineer and see their permissions, and the communications administrator and see their permissions. Now if I want to give access, I can go over here, click on one of these teams, and I can click assigned admins, click Add, and then I can assign somebody I want to give access to this. So, for example, if I wanted to grant Greg Johnson admin access to Team Service, I could enter Greg Johnson’s information and click Save. Alright. Now, I’d also like to show you, over on the Azure side of things, how this looks as well. So let’s take a look over there. Let’s go to Portal Azure.com.All right. And once you’re on PortalAzure.com, you’re going to click on Azure Active Directory. And if you don’t see it in that menu bar, just click the menu button here, and you’ll see it right here.
Okay. And then here it is: roles and administrators. All right. So from there, you can scroll down and find your same roles, okay? so you can click on the role. All right. You can then go here and click “Description.” They give you a description, and you can also see all the permissions. One interesting aspect of this is that it shows a direct path on the components that are managed through your teams using the role, rather than just a broad overview. So sometimes it’s good for you to kind of look at it from both angles, to look at the exact permissions you get. And I believe that jumping back and forth can sometimes help you gain a better understanding. There are also articles that you can read. But that Knowledge Base article I showed you guys is probably going to be one of your best ways to do that. But I definitely encourage you, since you’re studying for an exam, to be familiar with the different roles. Kind of go through and read yourself through some of those different roles and their privileges and get a decent understanding of what they can and can’t do and help yourself wrap your brain around it, all right? But hopefully this helps you understand.
3. Creating and Managing Compliance Features, Including Retention and Sensitivity
I’d like to now talk to you about sensitivity and retention involving teams. But I would also like to add that earlier in the course, during the Implement, Governance, and Lifecycle Management area, we covered configuring Office 365 groups for Microsoft Team Classification. You need to make sure you’ve seen that video before you start. This is sort of a prerequisite for everything else to make sense. So just make sure you watch that. If you haven’t already, you need to go back and watch that video. Okay? All right, so let’s get started and dig in here. So the first thing I’m going to do is go to PortalMicrosoft.com, also known as Admin Microsoft.com, and get to an area called the Security and Compliance Center, which is where we’re going to manage all of this.
Okay. So you can click “Show all here,” and we’re going to click “Security,” and that’s going to bring us into Security and Compliance. All right. From there, you have a little drop-down menu called “Classification,” and you’ll see some different options here. So you have sensitivity labels, retention labels, and sensitive infotypes. Okay? So first off, sensitivity. Sensitivity of course gets into figuring out, well, what information in our environment is considered sensitive and how we want to react when somebody is utilising sensitive information. Especially in situations where someone may be attempting to share sensitive information with someone else. So, for example, in teams, maybe somebody posts a document in a team channel or something that has sensitive information in it, or perhaps somebody emails a document that has a sensitive piece of information in it, or somebody posts it in SharePoint or whatever. We’ve got to have a way to deal with that. The first thing to do, of course, is to figure out what is considered sensitive.
So if we look at sensitive infotypes, you’ll see that Microsoft has a tonne of sensitive infotypes here that they’ve already created for us. And this will involve a lot of legislation and things like that, but you’ve got things like US bank account numbers and driver’s licence numbers and all that. This uses a thing called Regex, also sometimes pronounced Reg X, which is a pattern recognition system. You can actually create your own as well, though we don’t get into a lot of depth on creating your own in this particular course. It is something you can do, or you can use the ones that are already built in, which cover the majority of everyone’s bases. Okay, let’s go over here to sensitivity labels now, and I’ve already got some labels created. So private, unclassified, and top secret. And if we want to create another label, we can simply click to create a label, and then you have to give it a friendly name.
Okay, so “Let’s call it Business Confidential” could be a friendly name. All right, so give a description. This is a business-related, confidential piece of information. All right, so then we’ll click next. I’m not going into all the encryption details right now, but this is where you can control whether or not it’s forcibly encrypted, and you can specify a watermark to appear on a sensitive document. You can have a header show up at the top of the footer. You can adjust colour settings and everything else—font size, for example—and there’s a lot of stuff there you can do that’s kind of cool. Then there’s sight and group. Now this is where it’s kind of important that you’ve done the prerequisites that I mentioned in one of the earlier videos, because you may not see this if you have not. But this gets into your site and group settings. This is going to tie this to an Office 365 group, so of course teams can pick it up on it.
Alright, so you have public, private, and none. This goes back to what we’ve already learned about involving a public group, a private group, or none at all, which means letting users choose who can access the site. All right, so you can specify what you want here as far as your teams, your SharePoint, and all that stuff goes. I can choose private if I want. I can say external users; let Office 365, group owners, and people outside the organisation basically get added to the group. You have the option of specifying this or not. Allow full access from desktop apps, mobile apps, and the web; allow only limited, web-only access. And then you can just say “block altogether.” So if it’s an unmanaged app—if it’s an app that is not being managed through your Microsoft 365 and Azure Services unmanaged device—then you can just completely block it if you want. Okay, so the device has to be linked to the cloud, join the cloud, and all that.
Or you can say “full access” if you want. You can also do auto-labelling of this document that somebody’s working with. Remember that you must have a five in order to do auto-labeling. Auto-labelling is not supported by the first three subscriptions. Manual labelling is, but automatic labelling is not. So automatic labeling is where it’s going to essentially try to detect it. If it contains some information, we might have some sensitive information. And here’s where we get to choose, right? So I can go through here and say the credit card number. Let’s see; let’s just go down to the US area here. We’ll say bank account, driver’s license, tax ID, and Social Security number, and we’ll click Add. Okay? And then it’ll match based on accuracy. That’s the pattern recognition of the numbers and how close it is. You can also specify an instance, which indicates how many instances it must detect before flagging it.
If you want All right, so you can specify that you can have more than one group of these if you want. All right, then this is just called the default group, but you could actually have different groups. You can create another group of these down here if you want. So when content matches these conditions, automatically apply the label or recommend that it be applied. So you can choose to have the label display this message to the user when the label is applied, so you have a specific message that’s going to display on their screen. All right. So anytime they are working with one of these documents, it’ll automatically label it. Okay? So at that point, I can go in here and create my label. And keep in mind that it can take up to 24 hours before this all takes effect. The label will be created. Then what you’ve got to do is publish the label. You can either do that here or label policies; it doesn’t matter. You’re going to do it in the same place.
Okay, so when you get in here to publish, let me go back and do that again. Publish the label, then select Sensitivity. Label andyou’re going to select the one youwant, which is this one here. Click “add” followed by “next.” Specify who you want to apply it to if you want to do it for specific groups or users. Okay, I don’t want to automatically—I could say automatically by default—apply this label by default to all documents and emails. I’m not necessarily going to make all documents and emails for business confidential.
That’s more along the lines of something like “unclassified” or “classified.” You want this document and you want every document to always have a label, so that is when you would select that. Users must provide justification to remove the label. So if we’re going to allow somebody to remove the label, they have to have justification. Require users to apply a label to their emails or documents. This means that every user is compelled to use a label. So you have to make sure that if you do that, you’ve created sensitivity labels for everything—for unclassified, for classified, for everything. Provide the user with a link to a custom help page. This is useful if you’ve created a SharePoint site and want someone to be able to read about labels on it. Microsoft actually has some articles about this too. You could actually provide a link for that if you wanted. So then, when you’ve done that, you click Next, and you give the policy a name. Okay, so I’m just going to say “business confidential policy.” All right, then I’m going to click next, and I’m going to click to submit.
And I’ve started using it. And again, this can take up to 24 hours before it takes effect. Okay? So just keep that in mind. All right. So that is how your sensitivity labels are going to be managed. Let’s look at retention labels now. So we’ll come over here to retention labels, and we’re going to click to create a retention label. Now, the retention label is going to include exactly how long this is all going to be managed, okay? And basically, this little yellow note here is now telling you that you can actually manage this through their regular compliance centre too. So you can do it through security and compliance. And then there is also a compliance centre as well. When they say compliance center, they’re referring to this thing here, which they’ve added since the recording of this video so that you can now manage it through here as well, okay, so it could be managed in either place. So, I’m just going to call this retention. and I’m going to click next.
And from here, I can specify some information you can give. If you have a file ID description, you want to specify a reference ID for your files. You can specify that. You can categorise a business function and choose who has authority over it (legal, regulatory, etc.). This is really just meta information that you’re putting in there for provisioning if it’s applied to one of these particular pieces of legislation: Sarbanes-Oxley, Truth in Lending, or HIPAA.
You can specify those, okay, but really the nuts and bolts to this whole thing are right here. So I can say, “Turn on retention,” and maybe I am trying to do Sarvanes Oxley. And you’re only allowed to hold onto the document for seven years or whatever. Here’s what you would do with that for as long as seven years, and then I can say what to do with it. Delete the content automatically after seven years and trigger a disposition to notify these people. And this will help people make decisions about what to do with it. Nothing. Leave the content as is. Or you can also say, instead of saying “retain content,” “don’t retain this content, just delete it if it’s older than X amount of years.” Okay? So you can choose, and for the most part, it’s pretty self-explanatory as you can see based on these different options. So from there, it says to retain or delete the content when it was created. So this is nice because this used to be the only option when it was created.
So if it was created seven years ago and people have modified it over the years, that’s a problem because people are still using the document. But if it was last modified seven years ago, that’s maybe when I would want to do it. Or I can also say when it was labeled, if a label or a specific event was provided. And then at that point, you can choose what’s called an event type, like employee activity, expiration, or maybe product lifetime. So you’re going to play around with your options there. By the way, you can actually create specific types of events. But I’m going to go with when it was modified, all right? And then it says to use labels to classify content as a record. If you want to have it now classified as “hey, this is a record,” after that you can say that it’s happened. So at that point, a label gets placed on it. And then at this point too, after seven years, if a document has not been modified after seven years, then it can be deleted automatically. Okay? Or again, you can let a disposition go. So somebody is going to get an email, all right. However you want to do it, In some states, though, you have to have it deleted after seven years.
So it’s going back to things like socks, Sarbanes-Oxley, and all that. So at that point, I can click next, and then I can click to create the label, and my retention label will officially get created here. Once that’s done and created, you then come over here to label policies, where you can click on “Publish Your Label” and then choose your label. It’s basically the same thing as what you did with sensitivity labels. Okay? And just a forewarning, I have noticed that sometimes, with these trial tenants, it will throw an error on retention labels. So sometimes that does happen. You may have to try it a couple of times to get it to stick, but every once in a while that will happen with retention labels. But ultimately, you come up here, click “Publish Label,” and you should be able to then apply the label. And that is how you are going to apply your retention labels. So it’s a matter of your client, your machines being connected to the cloud, accessing things in the cloud via Office 365 and Teams, and anything working with documents involving our cloud from there. These policies can be applied to that.
