Security and Compliance Roles: Some Best Practices | Quisitive
Security and Compliance Roles: Some Best Practices
August 30, 2018
Read our take below

When you deploy Office 365, you will eventually have to delve into the O365 Security and Compliance center ( 

There are a lot of very important features in the Security and Compliance center allow you to manage Alerts, review audit logs, configure DLP, and much more.  When you first start working with the S&C center, most likely you will be logged in as the Global Admin, but this isn’t the best practice long term.  Also, if you can delegate these tasks to the correct people then you won’t have to perform them every time.

So, how do we delegate those tasks?  It’s via Role Groups in the Permissions section of the S&C center.  Global Admins are automatically assigned the Organizational Management Role group which gives them the all-important role Role Management.

Tangent time…Microsoft has really messed up the naming of these things.  Roles are specific permissions in the S&C center.  Role Groups are when a bunch of Roles (actually permissions) are grouped together.  For some reason, they didn’t just call them Permissions and Roles and make our lives easier.  You can read all about this here

The marriage of Users and Roles (permissions) is the Role Group. So, what Role Groups should you assign your users to?  Here is the list of Role Groups and their descriptions:

Role groupDescriptionCandidate user
Compliance AdministratorMembers can manage settings for device management, data loss prevention, reports, and preservation.Security Team Member
eDiscovery ManagerMembers can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case.eDiscovery Admins and Investigators
Organization ManagementMembers can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation.Global Admin is this by defaultSecurity and Compliance Team Leader and backup
ReviewerMembers can only view the list of cases on the eDiscovery cases page in the Security & Compliance Center. They can’t create, open, or manage an eDiscovery case. The primary purpose of this role group is to allow members to view and access case data in Advanced eDiscovery.This role group has the most restrictive eDiscovery-related permissions.eDiscovery Investigator that only needs limited rights
Security AdministratorMembership in this role group is synchronized across services and managed centrally. This role group is not manageable through the administrator portals. Members of this role group may include cross-service administrators, as well as external partner groups and Microsoft Support. By default, this group may not be assigned any roles. However, it will be a member of the Security Administrators role groups and will inherit the capabilities of that role group.
Security ReaderMembers have read-only access to several security features of Identity Protection Center, Privileged Identity Management, Monitor Office 365 Service Health, and Office 365 Security & Compliance Center.Security Team members that do not need to change any settings
Service Assurance UserMembers can access the Service assurance section in the Office 365Security & Compliance Center. Service assurance provides reports and documents that describe Microsoft’s security practices for customer data that’s stored in Office 365.Help DeskCommunications Team members
Supervisory ReviewMembers can create and manage the policies that define which communications are subject to review in an organization.Managers of Customer Contact Team Leads

There…now you have everything that you need…right?  Well, not really.  That list of Role Groups provides a decent starting point, but it doesn’t answer all of the problems.  For one…there are a few features that even if you activate them in the S&C Center, still won’t work.  Audit Log Access is one of them.  If you look at the top of the Permissions page you will see the following:

Some exceptions to the Role Groups and Role permissions

So, if we want a non-Global or Exchange Admin to see Audit Logs, then we have to go into the Exchange Admin Center and add them to a role that has those permissions…or create a custom role that does.  If you go the existing role route, then add them to the Compliance Management role in Exchange.

The pre-existing Exchange Compliance Management Role will grant most of the permissions that you need

Audit Logs, check…but a lot more.  I can make an argument that a Security and Compliance Team member actually does need this level of permissions, but you can also just create a new role and only grant them Audit Logs and View-Only Audit Logs.

Back to the Security and Compliance Center…

You can make your own Role Groups, and honestly if you are thinking about changing any of the roles assigned to a role group…don’t.  Instead copy the role group and change that.  This will ensure that if Microsoft changes something in the future you won’t have inadvertently broken it.

NOTE: eDiscovery is a strange animal.  Its Role Group has two sets of members.  The eDiscovery Manager and the eDiscovery Admin.  The Admin can see and manage all eDiscovery cases, while the Manager can only work on cases that they have been directly assigned.  If you copy this group…it doesn’t have the two levels of members so something is special about this group specifically.

Customizing your own Role Groups might be just what you need to do, or you may just want to understand what the Roles (permissions) actually mean.  Good luck with that.  I cannot find an article that actually lists all of the roles and a good description of them.  Here is the best that I can provide for you:

Audit LogsLets people turn on and configure auditing for their Office 365 organization. This role also lets people view the organization’s audit reports, and then export these reports to a file.NOTE: This doesn’t actually give them audit log access until you add them that role in Exchange.  That will change in the future I suspect.
Case ManagementLets people create, edit, delete, and control access to eDiscovery cases.
Compliance AdministratorLets people view and edit settings and reports for compliance features.
Compliance SearchLets people perform searches across mailboxes and get an estimate of the results.
Device ManagementLets people view and edit settings and reports for device management features.
Disposition ManagementControl permissions for accessing Manual Disposition in the Security & Compliance Center.
DLP Compliance ManagementLets people view and edit settings and reports for data loss prevention (DLP) policies.
ExportLets people export the mailbox and site content that was returned from a search.
HoldLets people place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content.
Manage AlertsLets people view and edit the settings and reports for alerts.
Organization ConfigurationLets people run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation.
PreviewLets people view a list of items that were returned from a content search. They’ll also be able to open each item from the list to view its contents.
RecordManagementAllow viewing and editing configuration and reports for the Record Management feature.
Retention ManagementLets people manage retention policies.
ReviewLets people use Office 365 Advanced eDiscovery to track, tag, analyze, and test documents that are assigned to them.
RMS DecryptLets people decrypt RMS-protected content when exporting search results.
Role ManagementLets people manage role group membership and create or delete custom role groups.
Search And PurgeLets people bulk-remove data that matches the criteria of a content search.
Security AdministratorAllows viewing and editing configuration and reports for Security features.
Security ReaderAllows viewing configuration and reports for Security features.
Service Assurance ViewLets people download the documents available on the Service Assurance section. Content includes independent auditing and compliance documentation and trust-related guidance for using Office 365 features to manage regulatory compliance and security risks.
Supervisory Review AdministratorLets people manage supervisory review policies, including which communications to review and who should perform the review.
View-Only Audit LogsLets people view and export their organization’s audit reports. Because these reports might contain sensitive information, this role should only be assigned to those with an explicit need to view this information.
View-Only Device ManagementAllow viewing configuration and reports for the Device Management feature.
View-Only DLP Compliance ManagementLets people view the settings and reports for data loss prevention (DLP) policies.
View-Only Manage AlertsAllow viewing configuration and reports for the Manage Alerts feature.
View-Only RecipientsLets people view information about users and groups.
View-Only Record ManagementAllow viewing configuration and reports for the Record Management feature.
View-Only Retention ManagementAllow viewing configuration and reports for the Retention Management feature.

Some of these descriptions aren’t very explanatory, but that is what Microsoft is giving us today.  Hopefully more will come soon.