To help describe why an enterprise would like to lock down global admin access, I would like to describe a typical enterprise organisation and scenario.
Contoso.com is an enterprise organisation that consists of 15 companies.
Contoso.com is the root AD Forest of the organisation and all other companies have their own child domains.
Contoso.com is the head office of the organisation and are responsible for data protection and governance within the organisation.
AD Connect synchronizes the root forests and child domains.
Contoso would like to remove global admin privileges from ICT Admin staff in one of the organisation’s companies Fabrikam and grant the ICT admin staff some custom Exchange Online administration privileges. The Fabrikam ICT admin staff must also have the ability to log Office365 service requests.
The following steps are required to lock down the Fabrikam ICT staff access to Office365 as per Fabrikam’s parent company Contoso’s new security and data protection policies.
####################Windows Azure Active Directory###########################
Function
|
Commandlet
|
Import CSV
|
$Users = Import-Csv “CSV PATH“
|
Assign Role
|
$Users | ForEach-Object {Add-MsolRoleMember -RoleMemberEmailAddress $_.UserPrincipalName -RoleName “Service Support Administrator”}
|
############################Summary####################################
Fabrikam ICT admins can access the Exchange Online Control Panel via this URL: https://outlook.office365.com/ecp
Fabrikam ICT admins can log Office365 service request via this URL: