One of the difficulties for many records managers new to Microsoft 365 is that they may not know or have access to everything they need to know to manage records in that environment.
This post provides an overview of the accounts, licences and roles that may be needed to manage records in Microsoft 365.
As will be seen, a good understanding of both (a) the options provided with different licence types, and (b) the roles and what access or functionality they provide, is essential. The simplest options may be summarised as follows:
- Technically skilled or qualified records and information managers, including those who previously administered EDRM systems, could become SharePoint admins (an assigned role), ideally with a cloud-only account in addition to their normal user account.
- Records and information managers with broader compliance-type responsibilities, including the requirement to access detailed audit logs, search across all content, establish and run eDiscovery cases, create and apply DLP policies, create and apply records retention labels and policies, and create and apply information protection labels, should be assigned the role of Compliance Admin or Compliance Data Admin. They should also be assigned the Global Reader role to be able to access reporting and details of all settings in the various admin portals. If there is sensitivity about this access, they could instead be assigned the Reports Reader role which provides access to (and the ability to download) usage reports in the Microsoft 365 admin portal.
- Records and information managers who need to do most of the above excluding access to audit logs and some other features could be assigned the roles of Records Administrator and Reports Reader.
Accounts and licences
To access Microsoft 365 anyone will need an active Active Directory (AD) account and, except for Global Admins, a Microsoft 365 licence.
Microsoft 365 accounts may either (a) be synced from on-premise AD to Azure Active Directory (AAD), or (b) be cloud-based only (for admin accounts) as described below.
Global Administrators (GAs) have access to all parts of Microsoft 365. It is unlikely that records or information managers will be GAs. In organisations that outsource their IT, the IT provider will usually be the GAs, further limiting internal access and knowledge.
Microsoft recommend (‘Protect your Microsoft 365 Global Administrator accounts‘) that (a) there should be no more than four Global Administrator (GA) accounts, and (b) that GA accounts should always be created in the cloud and not be privileged accounts synced from AD. This is not always the case.
GAs do not need a Microsoft 365 licence.
In the same link above, Microsoft notes that ‘you should consider whether additional accounts with wide-ranging permissions to access the data in your subscription, such as eDiscovery administrator or security or compliance administrator accounts, should be protected in the same way’ – that is, created as cloud-only accounts.
These administrator accounts include the following:
- Exchange Online administrator
- SharePoint/OneDrive administrator
- MS Teams administrator
- Security administrator
- Compliance administrator.
Note that certain ‘admin’ roles may be created to provide access to parts of the Compliance admin portal. These roles, which may not necessarily require a cloud-only account, are described under the ‘Roles’ section below.
Cloud-only account names should include a user ID to make it possible to identify the actual person assigned to the account who used it, including in audit logs. For example:
Suitably qualified or skilled records and information managers, especially EDRMS admins, could be assigned either a SharePoint admin or Compliance admin account.
- To be clear, this means that records and information managers should ideally have two separate accounts: (a) an admin account with a specific role (see below), and (b) their normal account.
- Note that being assigned to an account doesn’t provide any access, yet. The account holder still needs a licence and a role.
Some organisations do not follow Microsoft’s advice and don’t create separate admin accounts for SharePoint/OneDrive, Exchange, Teams or Compliance/Security admins. Instead, they assign roles to normal end-user accounts (see below). This may be partially to reduce licencing requirements.
With the exception of the GA account, all other accounts must be assigned a licence to access the relevant parts of Microsoft 365. For example, a SharePoint admin needs a licence that includes access to SharePoint.
The type of licence that is assigned will affect what options the account can access. From a records and information management point of view:
- E5, or the E5 Compliance add-on (for specific users), provides the highest level of recordkeeping functionality including all the options in the Compliance admin portal including Data Classification, Audit, Content Search, Advanced eDiscovery, Data Loss Prevention, Information Governance, Information Protection, and Records Management (including auto-application of labels based on trainable classifiers or SharePoint Syntex, and Dispositions).
- E3 provides a basic level of functionality – mostly the ‘Information Governance’ part (retention labels, label policies and retention policies) of the Compliance admin portal (access to which requires a role – see below) and some other parts such as Audit (logs), Content Search, Data Loss Prevention, Information Protection, and eDiscovery.
See ‘Microsoft Information Governance in Microsoft 365‘ for more details of what is provided in the Compliance admin portal.
So, to summarise this section, records and information managers will need the following at a minimum to be able to manage records in Microsoft 365:
- An admin account, or their normal account assigned a specific role (see below)
- A licence (E5 or E3)
A licenced account will not provide access to anything more than the basic options available to all users, until the account has been assigned a role.
There are multiple roles in Microsoft 365 for a wide range of tasks.
Roles and custom roles (and ‘role groups’ that contain sub-roles) may be assigned to accounts via:
- The Azure AD admin portal (~ 77 pre-defined roles most of which are repeated in the two dot points below)
- The Microsoft 365 admin portal via ‘Role assignment’ (shows everyone who has been assigned that role) or applied directly on accounts (~ 64 Azure AD roles and ~ 13 Exchange admin roles)
- The Compliance admin portal under ‘Permissions’ (9 Azure AD roles and 49 ‘Compliance centre’ roles). Same roles as the Security admin portal.
- The Security admin portal under ‘Permissions and roles’ (9 Azure AD roles and 49 ‘Email and collaboration’ roles). Same roles as the Compliance admin portal.
Microsoft note that ‘admin roles give users permission to view data and complete tasks’. Therefore, they recommend to ‘give users only the access they need by assigning the least-permissive role’.
Most roles can be assigned to user accounts from either the Azure admin portal or the Microsoft 365 admin portal. Only the most common roles are listed below, most of the other roles can be viewed from the section ‘Show all by category’ below this listing. When a role is assigned to an account, the ‘Admin’ icon appears in the list of apps available to that account in office.com.
Organisations will need to decide what roles will be assigned to what accounts. The licence assigned to that account may affect what options the account can access through the role they are assigned to.
What roles do records and information managers need?
The most obvious roles for records and information managers accounts that are set in either the Azure or Microsoft 365 admin portals, are:
- SharePoint admin
- Global Reader
- Reports Reader
The following roles that relate to the management of records that are set in the Microsoft 365 admin portal, Azure admin portal, or the Compliance admin portals are as follows:
- Compliance admin
- Compliance data admin
- Records Administrator (only set in the Compliance admin portal)
- Records Management (only set in the Compliance admin portal)
- Knowledge Administrator (only set in the Azure admin portal)
- Knowledge Manager (only set in the Azure admin portal)
Details of what these roles can do or have access to are described below.
In most cases, the simplest option will be to grant the records or information manager account (preferably a cloud-only account) the ‘full’ Compliance admin role or alternatively the Compliance Data admin role (with slightly reduced capability).
While additional roles, sub-roles, or even custom roles may be assigned or created for specific purposes, these may only be required in more complex organisations where those roles can be assigned to someone with that responsibility. For example, a ‘Privacy Manager’ person/account could be assigned the Privacy Management role
Records or information managers who were EDRMS administrators might be assigned the SharePoint admin role, including in support of more technical SharePoint admins.
Accounts assigned to the SharePoint admin role can create new sites and manage the SharePoint environment, including managing the Managed Metadata Term Store. They can guide site owners how to use their sites, including:
- Creating and applying site columns and content types to libraries and lists.
- Creating and configuring new document libraries and lists
- Editing page content
SharePoint admins may apply, or help site owners and members apply, retention labels and recover content from the Recycle Bins and Preservation Hold library (if a retention policy has been applied to the site).
This role provides read-only access to all of the options in all the Microsoft 365 admin portals. Accounts assigned to this role can also download reports. It is a useful role to have if the records or information manager needs to view settings and reports.
This role provides read-only access to various sections of the Microsoft 365 admin portal only including: Users, Teams & Groups, Roles, Billing, Settings, Reports (Usage reports), Health (but not the Message Centre). Accounts assigned to this role can also download reports.
Compliance admin/Compliance Data admin
Accounts assigned to the Compliance admin role group have full access to the Compliance admin portal, including the following areas:
- Data classification (E5). Access to trainable classifiers, content explorer, activity explorer.
- Reports (Dashboards).
- Audit logs (3 months for E3, 12 months for E5)
- Content Search (search across all Exchange mailboxes (including Teams compliance chats and posts) and SharePoint/OneDrive)
- Data Loss Prevention (create policies based on a range of criteria)
- eDiscovery (search for content, apply legal holds)
- Information Governance (with E3 licences, basic retention labels, label policies, and retention policies)
- Information Protection (information sensitivity labels)
- Records Management (with E5 licences, more advanced retention label options, label policies, dispositions)
- Privacy Management
The Compliance admin role group includes all the following sub-roles. Items marked with an asterix are not included in the Compliance Data Admin role group and will mostly not be required. (That is, most records and information manager accounts could be assigned the Compliance Data Admin role).
- Case Management *
- Compliance Administrator
- Compliance Search
- Data Classification Feedback Provider *
- Data Classification Feedback Reviewer *
- Data Investigation Management *
- Device Management
- Disposition Management (manage disposition)
- DLP Compliance Management
- Hold *
- IB Compliance Management
- Information Protection Analyst
- Information Protection Investigator
- Information Protection Policy Admin
- Information Protection Reader
- Manage Alerts
- Organization Configuration
- RecordManagement (‘manage and dispose record content’)
- Retention Management (‘create retention labels’)
- (‘Sensitivity Label Administrator’ is included in the Compliance Data admin role)
- View-Only Audit Logs
- View-Only Case *
- View-Only Device Management
- View-Only DLP Compliance Management
- View-Only IB Compliance Management
- View-Only Manage Alerts
- View-Only Recipients
- View-Only Record Management
- View-Only Retention Management
Records Administrator/Records Management/Knowledge Administrator
There are three specific role groups that provide more restricted records management-related capability.
The Records Administrator role group includes access to most of the day-to-day functionality that will be required, via the following sub-roles.
- Disposition Management
- Audit Logs (but note that the account assigned this role must also be added to the Records Administrator role in the EXO admin portal to access the logs)
- View-Only Audit Logs (comment as above)
- Compliance Search
- Case Management
- Retention Management
- Journaling (in EXO admin)
- Messaging Tracking (in EXO admin)
- Transport Rules (in EXO admin)
The Records Management role group include the following sub-roles:
- Disposition Management
- Retention Management
This role provides access to most of the records management related options in the Compliance admin portal except the Audit logs.
The Knowledge Administrator role group provides access to a number of options in the Compliance admin portal has a single sub-role.
- Knowledge Admin
The Knowledge Manager role provides access to a number of options in the Compliance admin portal.
Summarising the options
In summary, records and information managers will need the following at a minimum to manage records in Microsoft 365:
- An active AD or AAD account
- A Microsoft 365 licence, ideally E5 or E5 Compliance add-on. E3 may be suitable but provides fewer options.
- One or more roles:
- SharePoint Admin, if they will be managing SharePoint.
- Compliance admin. This is suitable for most advanced records management related activities including accessing audit logs, creating, applying and managing retention labels and policies, DLP, information protection and more). Alternatively, one of the reduced Compliance roles.
- Global Reader (or Reports Reader) to view usage reports/dashboards and settings.
Whatever role is required, records and information managers need to work closely with IT to determine the most appropriate role based on business needs.