I’ve started at a medium-sized org (~1500 users) that has over a dozen global admins in 365, plus another 80 users with various 365 admin access. Does anyone have any tips for how to identify what access the users actually need?
I tried punching up a questionnaire with all of the available options, but my test group reported that it was too convoluted. I’m not sure how I can better identify their needs without interviewing them one-on-one, or just ripping away access and seeing who screams.
Create a model based on processes? Eg least priv for helpdesk for passwords, machine/intune mngt, etc., call it L1. Then add some roles for reporting, wiping/isolating machines or similar for the security team (call it L2 admin), etc.
Role-based access is absolutely the goal but I think I’m a ways away from identifying and implementing it. Responsibilities are too unclear and diverse right now.
I may need to just meet with each department manager and ask him or her what their team needs to be able to do.
Honestly, it depends on your role within the company as well - if you are a CxO or from IAM/UAM domain, then you can just define a model for this particular “tool” and announce the upcoming change (ie prepare the roles and all, and then clean up existing roles/accesses) that X will happen in next, lets say, 45 days. This will make everyone jump on you of course, buuuuut thats what you want, as at least you will suddenly get people msging you regarding the “why” they need xyz role - et voila you now have your high level list of processes; adjust roles where needed and continue.
My view on this is that it also kinda depends on the company hierarchy and its sector, but you should be a little dictator - youll reap the rewards for being effective; its the others who ignored your call2action who are to blame :D
Audit report?
Is there any way to look at what access people are actually using?
I haven’t found anything like a full report on admin right usage for all users. I’d hate to go user-by-user in audit reporting - At that point I may as well just interview them.