Tilgangstyring inn mot kunder
- Creating B2C applications and configuring B2B external collaboration settings.
- Configuring company branding and company properties.
- Managing tasks related to pass-through authentication and seamless single sign-on (SSO).
- Managing user settings for enterprise applications
- Installation of Azure AD Connect and managing object synchronization with on-premises directories.
- Managing security and compliance, including setting retention policies under Data Governance
Hvordan eleverer dere er til Global Admin hvis det ikke er noen brukere som blir gitt denne rollen?
Det er kun en PowerApp som har denne tilgangen hos oss. Løsningen brukes for å lage temporære brukere med Global Admin inne hos våre kunder. Løsningen sletter automatisk brukeren når tiden har gått ut. Alle som benytter løsningen må oppgi en grunn til at de trenger tilgangen slik vi enkelt kan finne hensikten hvis kunden ønsker mer innsikt.
Hvordan forsikrer dere er om at ingen tar Global Admin allikevel?
Vi overvåker gruppene som styrer dette i Azure AD. Hvis noen endrer på grupper eller oppsett så går en kritisk alarm til vår vakt som jobber 24/7 og 365 dager i året. Vakten har en svartid på 30 minutter. Vi sperrer deretter omgående brukerne og undersøker dette som en kritisk sikkerhetshendelse.
Er det mulig å velge bort roller som vi ikke ønsker at Ironstone skal ha?
Ja det er mulig. Men hvis dere gjør dette vil det medføre at det tar lenger tid å supportere henvendelser som trenger en av de rollene som dere har valgt å fjerne. For å supportere dere i en slik hendelse så må vi først få dere til å lage en bruker internt og sen gi denne brukeren korrekt roller før vi kan påbegynne arbeidet.
Hvilke roller har de forskjellige teamene og hvorfor?
Vårt Modern Work team som eier produktet "Dine Ansatte" har følgende tilganger:
Role |
Justification for needing the role |
Actions available to the role |
---|---|---|
Intune Admin |
Services
|
Manage the mobile devices and apps that your organization uses.
|
User Administrator |
Services
|
Manage user accounts in Entra ID. Access to create, update, deleting users, resetting passwords, and managing user authentication details.
|
Application Administrator |
Services
|
Permissions to manage all aspects of app registrations, enterprise app and service principals in Azure Entra ID.
|
Authentication Administrator |
Services
|
|
Authentication Policy Administrator |
Services
|
|
Azure AD Joined Device Local Administrator |
Services
|
|
Azure Information Protection Administrator |
Services
|
|
Billing Administrator |
Services
|
|
Cloud Application Administrator |
Services
Note: Might be possible to remove this role in favor of the Application Administrator role that is available for the team as well. |
This role allows a user to perform many of the same functions as an Application Administrator. However, it does not grant access to Application Proxy settings. The role includes permissions for app registrations, single sign-on settings, user and group assignments and licensing, and consent. Importantly, users with this role are not added as owners when creating new application registrations or enterprise applications
|
Cloud Device Administrator |
Services
|
|
Compliance Administrator |
Services
|
|
Compliance Data Administrator |
Services
|
|
Conditional Access Administrator |
Services
|
|
Desktop Analytics Administrator |
Services
|
|
Domain Name Administrator |
Services
|
|
Edge Administrator |
Services
|
|
Exchange Administrator |
Services
|
|
External ID User Flow Administrator |
Services
|
|
External Identity Provider Administrator |
Services
|
|
Global Reader |
Services
|
|
Groups Administrator |
Services
|
|
Guest Inviter |
Services
|
|
Helpdesk Administrator |
Services
|
|
Hybrid Identity Administrator |
Services
|
|
Identity Governance Administrator |
Services
|
|
Insights Administrator |
Services
Note: While other roles, such as Global Administrator or specific service administrators (like Exchange or Teams Administrator), may have access to some analytics and reporting features, the Insights Administrator role provides more focused and comprehensive access to analytics tools within Microsoft 365. |
|
Intune Administrator |
Services
|
|
Kaizala Administrator |
Services
|
|
Knowledge Administrator |
Services
|
|
License Administrator |
Services
|
|
Lifecycle Workflows Administrator |
Services
|
|
Microsoft Hardware Warranty Administrator |
Services
|
|
Microsoft Hardware Warranty Specialist |
Services
|
|
Network Administrator |
Services
|
|
Office Apps Administrator |
Services
|
|
Organizational Messages Writer |
Services
|
|
Password Administrator |
Services
|
|
Permissions Management Administrator |
Services
|
|
Power BI Administrator |
Services
|
|
Power Platform Administrator |
Services
|
|
Printer Administrator |
Services
|
|
Privileged Authentication Administrator |
Services
|
|
Privileged Role Administrator |
Services
|
|
Search Administrator |
Services
|
|
Security Administrator |
Services
|
|
Service Support Administrator |
Services
|
|
SharePoint Administrator |
Services
|
|
Skype for Business Administrator |
Services
|
|
Teams Administrator |
Services
|
|
User Administrator |
Services
|
|
Virtual Visits Administrator |
Services
|
|
Viva Goals Administrator |
Services
|
|
Windows 365 Administrator |
Services
|
|
Windows Update Deployment Administrator |
Services
|
|
Yammer Administrator |
Services
|
|
Owner on subscriptions |
Services
Note: Today (22/11-2023) it is no way to give granular access to these resources like you have with the new GDAP access functionality. It is possible Microsoft will develop something that resembles GDAP but for Azure Subscriptions in the future. |
|
Vårt Azure-team som eier produktet "Dine IT-systemer" har følgende tilganger:
Role |
Justification for needing the role |
Actions available to the role |
---|---|---|
User administrator |
Services
|
|
Groups Administrator |
Services
|
|
Application administrator |
Services
|
|
Azure DevOps Administrator |
Services
|
|
Global reader |
Services
|
|
Privileged Authentication Administrator |
Services
|
|
Service Support Administrator |
Services
|
|
Owner on subscriptions |
Services
Note: Today (22/11-2023) it is no way to give granular access to these resources like you have with the new GDAP access functionality. It is possible Microsoft will develop something that resembles GDAP but for Azure Subscriptions in the future. |
|
Vår 1st line support-team har følgende tilganger:
Role |
Justification for needing the role |
Actions available to the role |
---|---|---|
Intune Admin |
Services
|
Manage the mobile devices and apps that your organization uses.
|
Exchange Administrator |
Services
|
|
Helpdesk Administrator |
Services
|
|
Global Reader |
Services
Note: This role gives us no access to edit any configurations. |
|
License Administrator |
Services
|
|
Authentication Administrator |
Services
|
|
Service Support Administrator |
Services
|
|
User Administrator |
Services
|
|
Vår produktutviklingsavdeling har følgende tilganger:
Role |
Justification for needing the role |
Actions available to the role |
---|---|---|
Global Reader |
Services
Note: This role gives us no access to edit any configurations. |
|