Permissions allow organizations to provide certain individuals with elevated access so that they can perform specific operations in the service. A common strategy that's shared across different Microsoft 365 admin centers is the concept of Role-Based Access Control (RBAC). RBAC will allow, under the minimum level of permissions needed, users, categorized by roles, to execute their tasks, and only their tasks.

Microsoft 365 has a granular permissions model that allows organizations to have multiple administrators whose administrative abilities can be scoped to certain groups of tasks. The roles that are available in Microsoft 365 are as follows:

• Global admin: The most permissive role with the rights to access and modify all configurations in all the Admin Centers. They can also reset the passwords of all users and add and manage domains.
• Billing admin: Makes purchases, manages subscriptions and service requests, and monitors the health service.
• Help desk admin: Can reset passwords for non-admin users, help users sign out, manage service requests, and monitor service health.
• License admin: Can assign and remove user licenses and usage location.
• Reports reader: Access reports dashboard, Power BI adoption content packs, sign-in reports, and the Microsoft Graph reporting API.
• User admin: Reset user passwords, manage user and groups, manage service requests, and monitor service health.
• Exchange admin: Full access to the EXO Admin Center, manages Office 365 groups and service requests, and monitors service health.
• SharePoint admin: Full access to the SPO Admin center, manages Office 365 groups and service requests, and monitors service health.
• Teams admin: Full access to the Teams Admin Center, manages Office 365 groups and service requests, and monitors service health.

To assign a role to a user in the Microsoft 365 Admin Center, an administrator with proper permissions can edit a user's properties  and assign an administrator role, as shown in the following screenshot:

Additionally, more granular roles can be assigned in the Azure Active Directory Role and administrators blade, which is available in the Azure Portal (https://aad.portal.azure.com), as shown in the following screenshot:

As part of a least-privilege model, organizations can also use Privileged Identity Management (PIM). PIM allows designated users to be granted elevated permissions for a period of time. PIM can be configured with a series of workflows to ensure proper approval is granted before assigning the role permissions. With this feature, organizations are able to significantly limit the number of fully-privileged accounts in their environment, reducing their attack surface.

Azure Active Directory Privileged Identity Management is configured through the Azure Portal (https://portal.azure.com), as shown in the following screenshot:

Organizations should follow best practices when considering their permission, role, and administration strategies. Some recommendations include the following:

• Have no more than four global admins or less than two.
• Whenever possible, assign the least permissive role to administrators.
• Require Multi-Factor Authentication (MFA) from all admins and end users.

We'll look at more recommendations later in this chapter.