How to lock down Office365 Global Admin access with managements scopes.

Posted on by
I have not posted a blog entry in quite some time, I have been crazy busy working for my new employer Evros and busy with my kids. I hope this blog will prove useful to anyone out there that follows my blog and promise a lot Blog posting to follow focusing on data protection, advanced threat analytics and AZURE

To help describe why an enterprise would like to lock down global admin access, I would like to describe a typical enterprise organisation and scenario.

Contoso.com is an enterprise organisation that consists of 15 companies. 
Contoso.com is the root AD Forest of the organisation and all other companies have their own child domains.
Contoso.com is the head office of the organisation and are responsible for data protection and governance within the organisation.
AD Connect synchronizes the root forests and child domains.

Contoso would like to remove global admin privileges from ICT Admin staff in one of the organisation’s companies Fabrikam and grant the ICT admin staff some custom Exchange Online administration privileges. The Fabrikam ICT admin staff must also have the ability to log Office365 service requests.

The following steps are required to lock down the Fabrikam ICT staff access to Office365 as per Fabrikam’s parent company Contoso’s new security and data protection policies.

#####################Exchange Management Shell############################
####Create Management Scope
New-ManagementScope -Name “EO-FABRIKAM” -RecipientRestrictionFilter {customattribute10 -like “FABRIKAM“}
####All mail enabled objects  in the Fabrikam child domain will have the value ‘Fabrikam’ added to Active Directory attribute: Extenstionattribute10
####Create a Role Group
New-RoleGroup -NameEO-FABRIKAM-Roles “User Options”, “Address Lists”, “Distribution Groups”, “Team Mailboxes”, “Mail Recipients”, “Reset Password”, “Mail Recipient Creation”, “Message Tracking”, “Move Mailboxes”,”Migration”,”Retention Management”,”UM Mailboxes”, “UM Prompts” , “Unified Messaging”    -Members “EO Fabrikam Admins” -CustomRecipientWriteScopeEO-FABRIKAM-ManagedBy “Organization Management”

####Note: When assigning the members to a security group. The security group must be a mail enabled security group.

####################Windows Azure Active Directory###########################
 

Function

Commandlet

Import CSV

$Users = Import-Csv CSV PATH

Assign Role

$Users | ForEach-Object {Add-MsolRoleMember -RoleMemberEmailAddress $_.UserPrincipalName -RoleName “Service Support Administrator”}

####Note: It is not possible to assign service administrator roles per security group

############################Summary####################################

Fabrikam ICT admins can access the Exchange Online Control Panel via this URL: https://outlook.office365.com/ecp
Fabrikam ICT admins can log Office365 service request via this URL:

https://portal.office.com/support/support.aspx

#############################Next Steps##################################
The next steps would be to create similar management scopes and role groups for SharePoint Online and Skype for Business. (New Blog Post to Follow)
Once Contoso have locked down access for all the companies within their organisation the next step will be developing compliance and governance policies in the Security and Compliance center in Office365



Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s