Office 365 access governance

In the last few years, and especially the last few months, we are using Office 365 to collaborate within our organization on a much bigger scale than ever before. In the same way that we collaborate within our organization, we can work with users from external organizations, such as clients, vendors, and other partners.

Users can join groups, invite guests, connect to cloud apps, and work remotely from their work or personal devices. And this is the part where things can go sideways if there is no control over who is doing what, what is shared with whom, and who oversees what.

User roles in Office 365

Let’s start with some basic terms. Roles play a significant part in Office 365 access management. This is the list of roles, provided by Microsoft that you will most likely encounter while managing your organization.

Types of Groups in Office 365

Alongside roles, there are a few types of groups, which simplify not only resources and user management but also Office 365 security in general. We can encounter these types of groups in Office 365:

• Microsoft 365 Groups (formerly Office 365 Groups) are used for collaboration between users, both external and internal users. With each of the Microsoft 365 Groups, members get a group email and shared workspace for conversations, files, and calendar events, and a Planner.
• A security group is used for granting access to Microsoft 365 resources, such as SharePoint. It can contain users or devices. Azure Active Directory automatically ads or removes security group members or devices based on changes in user attributes such as a department, location, or title.
• A mail-enabled security group has the same function as a regular security group, except they cannot be dynamically managed through Azure Active Directory and can’t contain devices.
• Distribution lists are used for sending notifications to a list of people. I can receive an external email if enabled.
• Shared mailboxes are used when multiple people need access to the same email inbox. Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address.

Audit your access with regular Office 365 permissions reviews

Now that we are familiar with the basic terms, let’s move on to permissions reviews. The key to quality corporate access governance is performing regular reviews to ensure that only relevant people have access to company applications and data.

You can simplify how to track and collect access reviews for different purposes by organizing them into programs. You can use the tools like Azure AD Access Review to take better control of data ownership inside your organization. Some of the advantages of automated access reviews are:

• There’s no need for manual work.
• You can use predefined actions that will be executed at the end of each successful access review.
• You can schedule Access reviews to run periodically or just one time.
• Access reviews jobs can recommend actions based on review findings.
• You can delegate Access reviews so you can get better results and lower the time and cost of auditing.

Syskit Point is an Office 365 access management tool that helps you review access faster and be more productive while having better control of your company resources.

When you need to keep tight control over Office 365 access security

When talking about access security, here are a few everyday situations where it is of the most crucial importance to have well-organized access control.

• onboarding and offboarding of employees
• organizational changes
• too many users in privileged roles
• group repurposing
• business-critical data access
• maintaining a policy’s exception list
• migration from an on-prem to a cloud environment

In these situations, it is essential to have a proactive engagement of resource owners and ensure that they regularly review access for their members.

Office 365 access governance best practices

A properly administrated Office 365 (recently changed by Microsoft to Microsoft 365) environment is essential in the situations mentioned above. Users need to be able to manage access to their sites, share documents, and do everyday tasks following their governance policies without too many interruptions.

To be able to provide that kind of environment, Office 365 administrators need to assist with managing their organization’s audit settings, content types and record policies, information sharing rules, etc.

In most organizations, the most challenging task is to set up the right team of admins with the proper permissions for managing digital property (Groups, SharePoint, Teams, Exchange, etc.). In the end, there is the question between giving users levels of access that reduce admins’ abilities to manage them or put all the weight on admins and make them do all the work. When you are developing a permissions strategy, you should keep a few things in mind.

• Modern organizational information architecture needs to be flexible and adaptive to changing organizational needs.
• It is a good idea for a team site owner to create a governance model that will address the site’s policies, roles, responsibilities, and processes. A governance plan can help keep site usage under control. For example, you may want only specific sites to have subsites or have only certain users to upload documents.
• Always give people the lowest permission levels necessary to perform their assigned tasks, which is often called Principle of Least Privilege.
• Segment your security in smaller functional groups, sites, or libraries designed for specific purposes, rather than having them all mixed in one extensive library and protected by unique permissions.
• Assign access to people by adding them to standard, easily recognizable groups, such as guests, members, and owners.
• If the information you’re dealing with is valuable to the company, requires a higher level of security, or is covered by regulatory compliance rules, you might want to set up a classification scheme to identify specific types of content. After you have organized the information into specific lists and libraries, you can start to govern the content.
• Each subscription comes with a set of admin roles that can be assigned to users in your Microsoft 365 organization to access sensitive settings, data, and files. To avoid security threats, you should have at least two global admin accounts, but no more than four.
• To keep your data secure, always assign admins the role with the least necessary permissions.
• If not required already for all your users, MFA should be mandatory for all admin accounts.
• Give permission through Microsoft 365 Groups whenever possible. With Groups, you can manage permissions from one place, which means that rules applied to the group will propagate to all Microsoft 365 components like SharePoint, Forms, OneDrive, MS Teams, Yammer, etc.

If you want to read more about Office 365 governance in general, check out a blog post by Toni Frankola, Syskit’s CEO.

Privileged Office 365 access management

When talking in the context of access security, privileged accounts deserve a couple of paragraphs for themselves. Most often, privileged rights are given for a specific short-term task. But, in some cases, privileged access is given indefinitely, and then its existence is frequently forgotten. If not appropriately controlled, privileged rights can lead to severe consequences and even permanent data loss.

If you would like your organization to have a defense mechanism against privileged access vulnerabilities, consider enabling Privileged Access Management in Microsoft 365. This solution allows you to provide granular access control over privileged admin accounts.

There’s another excellent control solution – Azure AD Privileged Identity Management. While privileged access management applies only at the task level, Azure AD Privileged Identity Management protection is applied at the role level with the ability to execute multiple tasks. A combination of these two mechanisms provides the just-in-time access control at different scopes.