Active Directory & Office 365 Reporting Tool

How to Implement Role-Based Access Control in Office 365. Have you heard about Role Based Access Control in Office 365 and how to implement it? This article walks you through the steps to implement Role-Based Access Control (RBAC) Office 365.

Firstly, we discuss an overview of RBAC in Microsoft 365. How RBAC works in Azure AD, Exchange Online, and Microsoft Intune.

Finally, we explain 4 steps to enforcing Role-Based Access Control in Office 365.

Overview Of Office 365 Role-Based Access Control

Microsoft 365 – is a suite of cloud based services (Azure AD, Exchange Online, and Microsoft Intune. Managing permissions and access to these services is challenging for admins.

To simplify the process, Microsoft has created built in roles with permissions. They form Role-Based Access Control (RBAC) model, which forms the basis for a large set of predefined roles and assigned permissions in Azure AD, Exchange Online, and Intune.

With RBAC, each admin role is aligned with a specific business function, providing people in your organization with the necessary permissions to perform their designated tasks efficiently and effectively.

To view and manage predefined roles in Office 365, visit the Role Assignments node of your Microsoft 365 admin center. 

In the following subsections, we have explained how Role-Based Access Control is implemented in Azure AD, Exchange Online, and Intune.

How RBAC in Azure Active Directory Works

Azure Active Directory (AD) offers Built-in roles with fixed permissions. As of May 2023, Azure AD has around 100 predefined roles available.

Azure AD built in roles meet the needs of most organizations, but if they don’t, you have the option to create custom roles. Creating custom roles is a two-step process that involves creating the custom role and then assigning the role permissions from a pre-set list.

Basically, you assign the role’s permissions to a user through a process called “role assignment.”

Visit Microsoft’s Overview of role-based access control in Azure Active Directory page to learn more.

Please note that using the built-in Azure AD RBAC makes roles free. But for custom roles, you need to assign each user with a custom role assignment an Azure AD Premium P1 license.

How RBAC in Exchange Online Works

Exchange Online uses the Office 365 Role-Based Access Control model with slight modifications, following the same model as Azure AD. Specifically, Exchange Online RBAC defines the tasks an admin or user perform by granting them permission based on management roles.

In Exchange Online, Microsoft provides a set of predefined management role groups to simplify assigning permissions to admins and users. Besides management role groups, the Exchange Online Role-Based Access Control model offers role assignment policies.

These policies enable admins to delegate control to end users for their own mailbox or distribution groups, allowing them to manage their settings. This provides users with more flexibility in managing their accounts.

Using built-in role groups to assign permissions in the Exchange Online admin center is recommended by Microsoft. However, if needed, you have the option to create custom role groups either from scratch or by copying an existing one.

To learn more about how RBAC works in Exchange Online, head to Microsoft’s Permissions in Exchange Online page. 

How RBAC in with Microsoft Intune Works

Microsoft Intune is part of Office 365 and follows the Role-Based Access Control model as other services. Intune offers built-in roles, but you can create custom Intune RBAC roles like Azure AD and Exchange Online.

In implementing RBAC, Intune relies on 2 models: Roles and Role assignments. A role defines the permissions assigned users exercise. Conversely, a role assignment determines the users assigned to a role and the resources they access and modify.

Use the Microsoft Intune admin center or PowerShell to manage roles and role assignments.

When you click on any role in the Intune admin center, you notice 2 pages in “Manage” section: Properties and Assignments.

The Properties page displays the name, description, and permissions granted to the role. Meanwhile, the Assignments page shows a list of role assignments that define which users access (view) or change (edit) which devices or users.

Check out Microsoft’s Role-based access control (RBAC) with Microsoft Intune page.

Steps to Implement Role-Based Access Control in Office 365

Step 1: Audit Current Microsoft 365 Roles

Before enforcing Role-Based Access Control, determining your organization’s current role assignments is essential. Get current role assignments from the Microsoft 365 admin center via – admin.microsoft.com/#/rbac/directory

The above page, opened by the link, has4 tabs – Azure AD, Exchange, Intune, and Billing. Additionally, each tab has a list of admin roles that belong to the service.

To see which users have been assigned a particular role in your Microsoft 365 tenant, follow these steps.

First, click on the role tab (for example, Azure AD). This opens up a flyout menu. Next, click on the “Assigned” tab to see a list of all the users or groups assigned that role in Azure AD.

After that, you repeat the same for the Exchange, Intune, and Billing tabs. This gives a comprehensive list of all the roles in your Microsoft 365 tenant and the users assigned to each role.

After completing this task, you have a complete picture of all the roles in your tenant, and the users assigned them.

Additionally, you have the option of utilizing Microsoft PowerShell scripts to list role assignments in Azure AD, Exchange Online, and Intune.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Step 2: Define Roles and Permissions Requirements to Implement Office 365 Role-Based Access Control

After reviewing current role based assignments in Office 365, the next step to implement RBAC in your Microsoft 365 tenant is defining your organization’s critical roles and permissions.

Follow these high-level guidelines to complete this process:

1. Determine the business needs RBAC should address. Evaluate the Microsoft 365 services each business unit needs to function. 

Additionally, what modules the unit requires. Furthermore, you want to know each business unit’s actions and who needs to perform those actions. 

2. Define the roles and permissions required to meet the business needs.

3. Map your defined business roles and permissions to existing built-in roles:Described Microsoft 365’s built-in roles earlier in this guide.

To implement Role-Based Access Control using these roles, refer to step 2. Match them with the appropriate built-in roles to meet your needs.

Review the built-in roles thoroughly and identify whether they meet your requirements. If not, determine the custom roles.

Step 3: Create the Custom Roles to Implement Role-Based Access Control in Office 365 (Optional)

Step 4: Modify Role Assignment Based on Defined Roles and Permissions

With the information you have gathered from steps 2 to 3, modify the identified roles and assign users accordingly.

To modify role assignments in Azure AD, log in to portal.azure.com and go to Azure Active Directory. Next, access the menu and click on the “Roles and administrators” node.

Finally, select the role you wish to modify assignments for and click the “+ Add assignments” button.

To modify Exchange role assignments, follow these steps. First, sign in to admin.exchange.microsoft.com. Next, expand the Roles menu and select the “Admin Roles” node.

Now, open the Admin role where you want to add assignments. Click the “Assigned” tab in the flyout that appears.

Finally, select the “+ Add” button.

For Microsoft Itune, follow these steps to change Endpoint Manager roles:

To change Endpoint Manager roles in Microsoft Intune, follow these steps in active voice:

First, sign in to intune.microsoft.com. Click the Tenant Administration node from the menu, and select Roles.

Next, select the role you want to modify and click on the Assignments node. Finally, click the “+ Assign” button.

How to Implement Role-Based Access Control in Office 365 Conclusion

In conclusion, implementing role-based access control (RBAC) in Office 365 is essential to maintain security and protect sensitive data. In this article, we discussed a brief overview of RBAC in Office 365 and how it works in Azure Active Directory, Exchange Online, and Microsoft Intune.

We also covered 4 steps to follow to implement RBAC in Office 365. Firstly, audit current Microsoft 365 roles to identify areas that need modification. Secondly, define roles and permissions requirements for implementing RBAC.

Thirdly, create custom roles if the pre-defined roles don’t meet your specific needs. Finally, modify role assignments based on defined roles and permissions to ensure that users have access to the resources they need and nothing more.

By following these steps, you implement RBAC in Office 365 successfully and ensure that users in your organization have the right access to perform their tasks based on their business functions.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *