I’ve started at a medium-sized org (~1500 users) that has over a dozen global admins in 365, plus another 80 users with various 365 admin access. Does anyone have any tips for how to identify what access the users actually need?

I tried punching up a questionnaire with all of the available options, but my test group reported that it was too convoluted. I’m not sure how I can better identify their needs without interviewing them one-on-one, or just ripping away access and seeing who screams.

  • @lornosaj
    link
    51 year ago

    Create a model based on processes? Eg least priv for helpdesk for passwords, machine/intune mngt, etc., call it L1. Then add some roles for reporting, wiping/isolating machines or similar for the security team (call it L2 admin), etc.

    • @[email protected]OP
      link
      fedilink
      31 year ago

      Role-based access is absolutely the goal but I think I’m a ways away from identifying and implementing it. Responsibilities are too unclear and diverse right now.

      I may need to just meet with each department manager and ask him or her what their team needs to be able to do.

      • @lornosaj
        link
        21 year ago

        Honestly, it depends on your role within the company as well - if you are a CxO or from IAM/UAM domain, then you can just define a model for this particular “tool” and announce the upcoming change (ie prepare the roles and all, and then clean up existing roles/accesses) that X will happen in next, lets say, 45 days. This will make everyone jump on you of course, buuuuut thats what you want, as at least you will suddenly get people msging you regarding the “why” they need xyz role - et voila you now have your high level list of processes; adjust roles where needed and continue.

        My view on this is that it also kinda depends on the company hierarchy and its sector, but you should be a little dictator - youll reap the rewards for being effective; its the others who ignored your call2action who are to blame :D

    • @[email protected]OP
      link
      fedilink
      11 year ago

      I haven’t found anything like a full report on admin right usage for all users. I’d hate to go user-by-user in audit reporting - At that point I may as well just interview them.