GDAP Permissions

Hvordan får Ironstone tilgang inn til kundene sine?

Ironstone bruker Granular Delegated Admin Privileges (GDAP) for å få tilgang inn til alle kunder. GDAP fungerer slik at vi forespør tillatelse fra kundene våre til å tildele et bestemt sett med Azure AD-roller som deretter er mulig å gi til Ironstone's brukere eller grupper gjennom Microsoft Partner Center. Deretter kan vi sette opp mer detaljerte tilganger, istedenfor å ha mer omfattende roller som Global Admin aktivert hele tiden. På denne måten kan vi for eksempel begrense tilgangen for vårt supportteam til kun de rollene de vanligvis trenger. Skulle det være behov for ytterligere tilganger for supportteamet, kan de tildeles den nødvendige rollen for en bestemt tidsperiode før tilgangen fjernes fra brukeren igjen.

Hvert team hos Ironstone har kun tilgang til et gitt antall roller, og det er ingen person som har tilgang til Global Admin-rollen.

Hvorfor krever dere GDAP?

Sikkerhetsansvar som Microsoft-partner
Som Microsoft-partner er vi forpliktet til å fungere som en forlengelse av Microsofts sikkerhetsteam. Hvis Microsoft oppdager en trussel, må vi handle umiddelbart – uansett tid på døgnet eller dag i året. Uten GDAP har vi ingen innsikt i miljøet deres, og kan derfor ikke beskytte det i tide. Dette setter både deres sikkerhet og vår partnerstatus i fare.
Vi bærer den økonomiske risikoen
Uten GDAP kan vi ikke overvåke endringer i kostnadsbildet. En plutselig økning – for eksempel som følge av feilkonfigurerte eller kompromitterte tjenester – kan få store konsekvenser for virksomheten deres. Hvis dere ikke kan betale fakturaen, er det vi som partner som står økonomisk ansvarlig overfor Microsoft.
Vi kan ikke yte support uten GDAP
Uten GDAP har vi ingen tilgang for å kunne hjelpe dere. Dere må da selv opprette en bruker og tildele riktige rettigheter før vi kan starte arbeidet – noe som fører til forsinkelser og økt nedetid.
Krav fra vår avtale med Microsoft
Vår partneravtale med Microsoft krever at vi sikrer at kunders miljøer følger Microsofts sikkerhets- og etterlevelsesstandarder. Uten GDAP kan vi ikke oppfylle dette kravet, noe som setter vår partnerstatus i fare – med store økonomiske konsekvenser.
Mer beskyttelse, uten ekstra kostnad
GDAP gir oss muligheten til å beskytte og støtte miljøet deres på en trygg og effektiv måte – helt uten ekstra kostnad for dere.
Inkludert i alle nye avtaler
Alle nye kundeavtaler krever GDAP. Vi kan ikke levere våre tjenester uten dette på plass.

Hvorfor tar dere så mange roller?

Å kunne ta flere mindre roller istedenfor færre og mer omfattende roller, som Global Admin, er å følge "Principle of Least Privilege". Alle Cloud Solution Partners (CSP:er) er pålagt å følge "Principle of Least Privilege" for å opprettholde avtalen med Microsoft.

Slik benevnes dette i CSP-avtalen:

“Company shall follow the "principle of least privilege" and obtain the minimum level of access necessary to perform requested Customer administrative tasks. Microsoft reserves the right to terminate or reduce Company’s administrative access privileges if Microsoft reasonably determines that Company is not actively managing Customer administrative tasks or has an unnecessary level of administrative permissions.”

Hvorfor trenger dere Global Admin rollen hvis ingen person har den?

Det er mange ting som ikke er mulig å gjøre uten Global Admin. Så hvis vi ikke har noen måte for å elevere oss til denne rollen så er det ikke mulig å yte support på alt som kommer inn fra kundene våre. Noen eksempler på hva som kun er mulig å gjøre hvis du har Global Admin er vedlagt under. Hvis du ønsker å lese mer så kan du gjøre det på Microsoft Doc her.

Creating B2C applications and configuring B2B external collaboration settings.
Configuring company branding and company properties.
Managing tasks related to pass-through authentication and seamless single sign-on (SSO).
Managing user settings for enterprise applications
Installation of Azure AD Connect and managing object synchronization with on-premises directories.
Managing security and compliance, including setting retention policies under Data Governance

Hvordan eleverer dere er til Global Admin hvis det ikke er noen brukere som blir gitt denne rollen?
Det er kun en PowerApp som har denne tilgangen hos oss. Løsningen brukes for å lage temporære brukere med Global Admin inne hos våre kunder. Løsningen sletter automatisk brukeren når tiden har gått ut. Alle som benytter løsningen må oppgi en grunn til at de trenger tilgangen slik vi enkelt kan finne hensikten hvis kunden ønsker mer innsikt.

Hvordan forsikrer dere er om at ingen tar Global Admin allikevel?
Vi overvåker gruppene som styrer dette i Azure AD. Hvis noen endrer på grupper eller oppsett så går en kritisk alarm til vår vakt som jobber 24/7 og 365 dager i året. Vakten har en svartid på 30 minutter. Vi sperrer deretter omgående brukerne og undersøker dette som en kritisk sikkerhetshendelse.

Kan dere beskrive hvordan dere får tilgang til kundenes systemer ved en supporthenvendelse som ikke krever Global Admin?

Når Ironstone mottar en supporthenvendelse, må konsulenten først aktivere tilgang til kundens miljø. For å gjøre dette, autentiserer konsulenten seg med MFA (Multi-Factor Authentication) før han eller hun velger hvilken kunde og hvilken type tilgang som trengs for å utføre oppgaven. På denne måten kan vi begrense tilgangen til en spesifikk kunde, i stedet for å ha tilgang til alle kunder samtidig. Tilgangen til kundens miljø er tidsbegrenset og fjernes deretter automatisk fra konsulentens brukerkonto.

Er det mulig å velge bort roller som vi ikke ønsker at Ironstone skal ha?
Ja det er mulig. Men hvis dere gjør dette vil det medføre at det tar lenger tid å supportere henvendelser som trenger en av de rollene som dere har valgt å fjerne. For å supportere dere i en slik hendelse så må vi først få dere til å lage en bruker internt og sen gi denne brukeren korrekt roller før vi kan påbegynne arbeidet. Det laveste nivået av roller vi må ha er følgende:

Global Reader – for å kunne se innstillinger som f.eks. MFA-status, som Microsoft pålegger oss å ha oversikt over.
Billing Reader – for å overvåke fakturagrunnlaget, som vi er økonomisk ansvarlige for ovenfor Microsoft.
[Valgfri, men anbefalt] Support Request Administrator – for å kunne opprette saker hos Microsoft på deres vegne og sikre at dere får utnyttet vår premium supportavtalen gjennom oss.

Hvilke roller har de forskjellige teamene og hvorfor?
Vårt Modern Work team som eier produktet "Dine Ansatte" har følgende tilganger:

Role	Justification for needing the role	Actions available to the role
Intune Admin	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees For setting up and configuring Microsoft Intune, managing device compliance policies, deploying applications, and customizing Intune configurations to fit customer needs.	Manage the mobile devices and apps that your organization uses. Full control over Intune, including all aspects of device and application management. Create and enforce organization-wide compliance and conditional access policies. Perform remote actions (like lock, wipe, reset) on any enrolled device. Access and manage all reports and analytics for devices and applications. Complete management of telecom expenses and endpoint security policies.
User Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. The team needs to be able to edit users as this is a regular support request from our customers. Your Employees We go through sign-in logs, licenses and devices for users, as well as changing guest user settings.	Manage user accounts in Entra ID. Access to create, update, deleting users, resetting passwords, and managing user authentication details. Full management of user accounts, including creation, deletion, and all profile edits. Reset passwords for all users, including those with administrative roles. Assign and manage licenses and groups for all users. Full control over user role assignments and user sign-in activities. Manage all aspects of guest user accounts and settings.
Application Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. We occasionally support our customers with setting up or maintaining Azure Entra ID Enterprise Applications and app registrations that connects their applications to the cloud directory to support SSO and other functionality. Your Employees We make security changes for applications. Add-on: Backup/Printix We setup enterprise applications for 3rd party providers.	Permissions to manage all aspects of app registrations, enterprise app and service principals in Azure Entra ID. Full management of enterprise applications, including SaaS apps. Set up and manage single sign-on and application proxy configurations. Complete control over application permissions and API access. Access and manage all reports related to application performance and usage. Manage federated authentication for applications.
Authentication Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Gives us access to reset password and Multi-Factor Authentication (MFA). Necessary to administrate authentication methods for all users. Your Employees We use the authentication reports to get an understanding of the adoption of MFA in the company. We also use this role to make changes to the authentication methods available.	Reset passwords for users with administrative roles. Manage registration for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) for all users. Full control over all available authentication methods. Access to detailed authentication reports and logs. Manage emergency access accounts and FIDO2 security keys.
Authentication Policy Administrator	Services CSP - Support - Requirement in Microsoft CSP Agreement As a CSP we are underlying an agreement from Microsoft that makes us responsible to follow up on potential security threats that Microsoft finds. We as a CSP provider needs to start an investigation before 24 hours and present findings to Microsoft. Without this role we cannot do our work. Your Employees We need this to harden and maintain some of the authentication-based setting on an organizational level.	Create and modify all authentication policies organization-wide. Set up and manage conditional access policies with a focus on authentication rules. Administer Azure AD Identity Protection policies, including risk policies. Configure and manage password protection and smart lockout features. Control sign-in frequency and session management settings.
Azure AD Joined Device Local Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees This role is needed to be able to maintain all devices.	Local Device Administration: Full control over Azure AD joined devices for tasks like software installation and system settings changes. Manage Device Security Settings: Configure local device security settings, including firewall and antivirus. User Account Management on Device: Handle local user account creation, modification, and deletion. Device Updates and Maintenance: Manage system updates, drivers, and patches for the Azure AD joined device. Local Resource Access Control: Control access to device resources like file systems and applications. Troubleshoot and Resolve Local Issues: Address hardware or software issues specific to the device.
Azure Information Protection Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees Some of our customers have high licenses that grants them access to Azure Information Protection. Without this role we are not able to maintain or setup this functionality for our customers.	Manage and configure Azure Information Protection (AIP) labels and policies. Oversee the protection of documents and emails across Azure and Office 365 services. Monitor and analyze data classification and protection reports. Configure rules and conditions for automatic document classification and protection.
Billing Administrator	Services CSP - Requirement in Microsoft CSP Agreement As a CSP we sell Microsoft services (Azure, licenses, etc.) to our customers. This role makes it possible for us to see forecast cost on our customers, as well as creating budgets to make sure our customers doesn’t get any unforeseen spikes in their costs. As a CSP we have a responsibility to guard our customers from these spikes as they would hit us if our customers are unable to pay in the end. This is an upcoming requirement from Microsoft and we need this role to comply with the CSP agreement. Your IT-systems We need this to manage and monitor subscription costs and help our customers with following up on budgets.	Manage billing and subscription information, including payment methods and billing cycles. Analyze and report on billing data and cost management. Handle purchasing and renewing of services and subscriptions. Manage billing alerts and budget configurations.
Cloud Application Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Note: Might be possible to remove this role in favor of the Application Administrator role that is available for the team as well.	This role allows a user to perform many of the same functions as an Application Administrator. However, it does not grant access to Application Proxy settings. The role includes permissions for app registrations, single sign-on settings, user and group assignments and licensing, and consent. Importantly, users with this role are not added as owners when creating new application registrations or enterprise applications Manage and configure cloud applications, including settings specific to SaaS apps. Set up single sign-on (SSO) and configure application access policies. Manage application permissions and consent requests. Analyze application usage and performance metrics.
Cloud Device Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We need this to manage the cloud devices (Not on-premises)	Oversee and manage cloud-based devices, including their registration and compliance. Configure device policies specific to cloud environments. Monitor device health and security in a cloud context. Manage remote actions on cloud-registered devices.
Compliance Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees For managing compliance settings and monitoring regulatory compliance within the environment. We setup and administrate Data Loss Protection (DLP) as a part of this service.	Create and manage compliance policies across Microsoft 365 services. Oversee data governance, including data retention and deletion policies. Manage and conduct compliance-related investigations and audits. Administer compliance solutions like eDiscovery and data loss prevention (DLP).
Compliance Data Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We need this role to setup and administrate data retention policies.	Focus on data-specific compliance tasks, particularly around data protection and privacy. Manage and enforce data retention policies and data subject requests (DSR). Oversee database compliance and security settings. Handle data protection impact assessments and compliance reporting related to data.
Conditional Access Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We setup and manage Conditional Access policies as a part of the product.	Create, edit, delete, and enable or disable Conditional Access policies. Configure the settings for Conditional Access, such as the named locations, trusted devices, and sign-in risk levels. Review the reports and logs for Conditional Access, such as the sign-ins report, the policy impact report, and the What If tool. Manage the access to Microsoft Azure Management, which requires multi-factor authentication by default.
Desktop Analytics Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows clients. We need this when preparing for Windows updates to devices.	Manage and configure Desktop Analytics settings and data analysis.
Domain Name Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We setup and monitor domains connected to the customers.	Manage domain names within Azure AD, including adding and verifying domains.
Edge Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees Management of the Edge browser for your clients.	Configure and manage Microsoft Edge policies and settings organization-wide.
Exchange Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We help setting up and management of Exchange as a part of this service.	Manage and configure Exchange Online settings, mailboxes, and email policies.
External ID User Flow Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Create and manage user flows for external identities in Azure AD.
External Identity Provider Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Configure and manage external identity providers in Azure AD.
Global Reader	Services CSP - Support This role is necessary for support to have read access to almost everything in customers tenant. To be able to help our customers, we need to have access to the necessary information to assist our customers. Your Employees We need this role to be able to see everything. Without it it is very hard to get the whole picture when designing, managing, or supporting a customer.	View all settings and configurations across Azure AD and Microsoft 365 services without edit permissions.
Groups Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. To be able to manage groups, add/remove members and settings in customer tenant. Your Employees We setup and manage a set of groups in our customers environments.	Manage group settings, including creation, deletion, and membership of groups.
Guest Inviter	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Invite and manage external guest users in Azure AD.
Helpdesk Administrator	Services CSP - Support Assist with user password resets and basic troubleshooting without full admin rights. Allows us to address customer inquiries promptly, resolve issues effectively, and ensure a seamless user experience.	Manage user authentication methods, reset passwords and manage user licenses in Azure AD. Assist with user password resets and basic troubleshooting without full admin rights.
Hybrid Identity Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Manage and configure hybrid identity solutions, including Azure AD Connect.
Identity Governance Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees For managing identity governance aspects like ensuring proper lifecycle management of user identities and access rights, conducting access reviews, and implementing privileged identity management.	Oversee identity governance policies and settings.
Insights Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees Getting analytics connected to M365 products and services. Note: While other roles, such as Global Administrator or specific service administrators (like Exchange or Teams Administrator), may have access to some analytics and reporting features, the Insights Administrator role provides more focused and comprehensive access to analytics tools within Microsoft 365.	Manage and configure insights and analytics tools in Microsoft 365.
Intune Administrator	Services CSP - Support Necessary to be able to manage devices on behalf of customer organization. Your Employees We manage all devices for our customers with this product and this role is required for configuring and managing Microsoft Intune, including device compliance policies and application deployments.	Manage and configure Intune for device and application management.
Kaizala Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Administer Microsoft Kaizala settings and policies.
Knowledge Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Manage knowledge management settings and policies in Microsoft 365.
License Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Customers orders licenses frequently. To be able to manage and delegate these licenses to users and groups, license admin is necessary. Your Employees We need this role to get insights into, and to be able to change licensing models to optimize use of our product.	Manage licenses for Microsoft Services. Assign, remove and view available licenses and their status.
Lifecycle Workflows Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Manage lifecycle workflows in Microsoft 365.
Microsoft Hardware Warranty Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Oversee and manage Microsoft hardware warranties.
Microsoft Hardware Warranty Specialist	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Specialize in managing specific aspects of Microsoft hardware warranties.
Network Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Manage and configure network-related settings and policies.
Office Apps Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees This role allows for the management and configuration of Office 365 apps like Word, Excel, PowerPoint, and others, which are a part of the setup of the service.	Administer Office apps deployment and configuration.
Organizational Messages Writer	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Create and manage organizational messages and announcements.
Password Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We make hardening changes to the password policies together with the customer.	Reset passwords and manage password policies.
Permissions Management Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees This is for example used to setup regulatory settings for external sharing and guest user access, as well as settings connected to sharing in collaboration services (SharePoint and OneDrive).	Manage and configure permissions across Microsoft 365 services.
Power BI Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We make harden changes to the service and maintain its security settings as a part of setting up the product.	Administer Power BI settings, including configuration and report management.
Power Platform Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We make harden changes to the service and maintain its security settings as a part of setting up the product.	Manage Power Platform environments and policies.
Printer Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Add-on: Print Allows for centralized management and configuration of printing services.	Configure and manage printer settings and policies.
Privileged Authentication Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Gives us access to reset password and Multi-Factor Authentication (MFA). Necessary to administrate authentication methods for all users. Includes managing authentication methods for admin users. Your IT-Systems and Your Employees As a service provider, the Privileged Authentication Administrator role is key to managing and securing authentication methods, especially for privileged accounts in customer environments. This role allows us to enforce robust security protocols and maintain compliance with authentication practices. We use this role to set hardening rules to authentication settings and policies.	Access to manage authentication methods for any user, including administrators, in Entra ID. Manage privileged authentication settings and policies.
Privileged Role Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees For managing role assignments in Azure AD, without the broader permissions of the Global Administrator. This role can manage all aspects of Azure AD roles and assignments.	Assign any other role in Entra ID, except the Global Administrator role. This role can also manage the settings for Privileged Identity Management (PIM). Administer assignments and settings for privileged roles.
Search Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Configure and manage search settings and policies.
Security Administrator	Services CSP - Support As a CSP we are underlying an agreement from Microsoft that makes us responsible to follow up on potential security threats that Microsoft finds. We as a CSP provider needs to start an investigation before 24 hours and present findings to Microsoft. Without this role we cannot comply with the agreement. Your Employees To manage security features like Microsoft Defender, configure security policies, and monitor security events.	Create and manage all security-related policies across Azure and Microsoft 365. Configure and manage advanced threat protection settings. Full management of security alerts and access to all security reports and audits. Manage roles and groups specific to security tasks. Full control over Identity Protection management and access review processes.
Service Support Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. This role gives the team the necessary rights to create and manage support requests for customer tenant. Your Employees This role ensures prompt issue resolution, minimizing disruptions and maintaining uninterrupted services for our customers. The administrator's expertise is crucial for delivering a seamless, customer-centric support experience	Provide support for service-related issues with limited admin rights.
SharePoint Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees For managing SharePoint and OneDrive settings, including file sharing permissions and site creation.	Manage SharePoint Online settings and configurations.
Skype for Business Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Administer Skype for Business settings and policies.
Teams Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees To manage Microsoft Teams configurations, guest access, and custom application installations.	Configure and manage Microsoft Teams settings and policies.
User Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees To get an overview over authentication security, user that have never logged in, optimization of licenses, helping the customers with setting up admin accounts, etc.	Manage user accounts and settings, including administrative roles.
Virtual Visits Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Oversee virtual visits settings and configurations in healthcare settings.
Viva Goals Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Manage settings and configurations for Viva Goals.
Windows 365 Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Administer Windows 365 settings and cloud PC configurations.
Windows Update Deployment Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We need this to get full access to Windows Update in your organization. There a some overlaps between other roles like Security Administrator and Compliance Administrator, but this role gives you more access.	Manage and deploy Windows updates organization-wide.
Yammer Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role.	Configure and manage Yammer network settings and policies.
Owner on subscriptions	Services CSP - Support This access gives Ironstone Owner access to all the customer Azure Subscriptions and therefore also all resources in them. We need this in order to help with anything connected to Azure operations. Your IT-Systems The Owner role on an Azure Subscription is fundamental for us as a service provider to have complete management and control over customer resources. This role enables strategic decision-making, resource allocation, and compliance management, ensuring that we can fully support our customers’ needs and maintain the integrity of their Azure environments. Note: Today (22/11-2023) it is no way to give granular access to these resources like you have with the new GDAP access functionality. It is possible Microsoft will develop something that resembles GDAP but for Azure Subscriptions in the future.	Help with support requests, incidents or other events isn Azure

Vårt Azure-team som eier produktet "Dine IT-systemer" har følgende tilganger:

Role	Justification for needing the role	Actions available to the role
User administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. The team needs to be able to edit users as this is a regular support request from our customers. Your IT-Systems As a service provider, we require the User Administrator role to efficiently manage user accounts, ensuring secure and compliant access to Azure services for our customers. This role is essential for maintaining user lifecycle management, security protocols, and administrative role assignments, contributing to the overall integrity and efficiency of customer environments.	Manage user accounts across customers Microsoft environment. Manage user accounts and settings, including administrative roles. Access to create, update, deleting users, resetting passwords, and managing user authentication details.
Groups Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. To be able to manage groups, add/remove members and settings in customer tenant. Your IT-Systems The Groups Administrator role is necessary for managing Azure group settings and memberships. This role allows us to structure user access in a customer’s environment efficiently, enhancing security and collaboration by ensuring proper grouping according to project, role, or department needs.	Manage group settings, including creation, deletion, and membership of groups.
Application administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. We occasionally support our customers with setting up or maintaining Azure Entra ID Enterprise Applications and app registrations that connects their applications to the cloud directory to support SSO and other functionality. Your IT-Systems The Application Administrator role is vital for managing and securing a range of enterprise applications, including SaaS apps, within our customer environments. This role enables us to manage single sign-on configurations, control application permissions, and oversee application performance, ensuring optimized and secure application usage for our customers.	Full management of enterprise applications, app registrations, service principals including SaaS apps. Set up and manage single sign-on and application proxy configurations. Complete control over application permissions and API access. Access and manage all reports related to application performance and usage. Manage federated authentication for applications.
Azure DevOps Administrator	Services CSP - Support Needs this role to assist customer inquiries for administrating organizations, projects, teams, users and access levels in DevOps. Your IT-Systems Our role as an Azure DevOps Administrator is crucial for configuring and managing Azure DevOps Services and Server. This enables us to effectively set up and maintain organizations, projects, and teams for our customers, ensuring secure and efficient DevOps processes and workflows.	Access to to manage and configure various aspects of Azure DevOps Services and Azure DevOps Server. Creating and managing organizations, projects, teams, users, access levels, permissions, security groups, service hooks, extensions and more.
Global reader	Services CSP - Support This role is necessary for support to have read access to almost everything in customers tenant. To be able to help our customers, we need to have access to the necessary information to assist our customers. Your IT-Systems The Global Reader role is essential for maintaining oversight and compliance within customer environments. This role allows us to view all settings and configurations across Azure AD and Microsoft 365 services, enabling us to monitor and audit without altering configurations, thus supporting informed decision-making and administrative tasks.	View all settings and configurations across Azure AD and Microsoft 365 services without edit permissions.
Privileged Authentication Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Gives us access to reset password and Multi-Factor Authentication (MFA). Necessary to administrate authentication methods for all users. Includes managing authentication methods for admin users. Your IT-Systems and Your Employees As a service provider, the Privileged Authentication Administrator role is key to managing and securing authentication methods, especially for privileged accounts in customer environments. This role allows us to enforce robust security protocols and maintain compliance with authentication practices. We use this role to set hardening rules to authentication settings and policies.	Access to manage authentication methods for any user, including administrators Manage privileged authentication settings and policies.
Service Support Administrator	Services CSP - Support This role gives support the necessary rights to create and manage support requests on behalf of a customers tenant. This is necessary for us as we sometimes need to escalate to Microsoft in order to solve occuring problems. Your IT-Systems The Service Support Administrator role is critical for providing operational support within customer environments. This role allows us to manage support requests and address service-related issues efficiently, ensuring minimal service disruption and maintaining operational continuity for our customers.	Allows to create and manage support requests for your organization. Provide support for service-related issues with limited admin rights.
Owner on subscriptions	Services CSP - Support This access gives Ironstone Owner access to all the customer Azure Subscriptions and therefore also all resources in them. We need this in order to help with anything connected to Azure operations. Your IT-Systems The Owner role on an Azure Subscription is fundamental for us as a service provider to have complete management and control over customer resources. This role enables strategic decision-making, resource allocation, and compliance management, ensuring that we can fully support our customers’ needs and maintain the integrity of their Azure environments. Note: Today (22/11-2023) it is no way to give granular access to these resources like you have with the new GDAP access functionality. It is possible Microsoft will develop something that resembles GDAP but for Azure Subscriptions in the future.	Full management and control over all resources in the subscription. Configure services and manage resource deployment. Handle subscription billing and cost management. Set up and manage access controls using RBAC. Delegate responsibilities and permissions to other users or groups as needed.

Vår 1st line support-team har følgende tilganger:

I tillegg til de følgende tilgangene har 1st line support mulighet til å midlertidig elevere seg til Azure- eller Modern Work-teamets tilganger for en spesifikk kunde, med en maksimal varighet på 24 timer, for å utføre mer sjeldne tekniske oppgaver.

Role	Justification for needing the role	Actions available to the role
Intune Admin	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees For setting up and configuring Microsoft Intune, managing device compliance policies, deploying applications, and customizing Intune configurations to fit customer needs.	Manage the mobile devices and apps that your organization uses. Full control over Intune, including all aspects of device and application management. Create and enforce organization-wide compliance and conditional access policies. Perform remote actions (like lock, wipe, reset) on any enrolled device. Access and manage all reports and analytics for devices and applications. Complete management of telecom expenses and endpoint security policies.
Exchange Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Your Employees We help setting up and management of Exchange as a part of this service.	Manage and configure Exchange Online settings, mailboxes, and email policies.
Helpdesk Administrator	Services CSP - Support Assist with user password resets and basic troubleshooting without full admin rights. Allows us to address customer inquiries promptly, resolve issues effectively, and ensure a seamless user experience.	Manage user authentication methods, reset passwords and manage user licenses in Azure AD. Assist with user password resets and basic troubleshooting without full admin rights.
Global Reader	Services CSP - Support This role is necessary for support to have read access to almost everything in customers tenant. To be able to help our customers, we need to have access to the necessary information to assist our customers. Note: This role gives us no access to edit any configurations.	View all settings and configurations across Azure AD and Microsoft 365 services without edit permissions.
License Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Customers orders licenses frequently. To be able to manage and delegate these licenses to users and groups, license admin is necessary.	Manage and assign licenses for Microsoft services. Assign, remove and view available licenses and their status.
Authentication Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. Gives us access to reset password and Multi-Factor Authentication (MFA). Necessary to administrate authentication methods for all users.	Reset passwords for users with administrative roles. Manage registration for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) for all users. Full control over all available authentication methods. Access to detailed authentication reports and logs. Manage emergency access accounts and FIDO2 security keys.
Service Support Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. This role gives the team the necessary rights to create and manage support requests for customer tenant.	Provide support for service-related issues with limited admin rights. Allows to create and manage support requests for your tenant.
User Administrator	Services CSP - Support We need this role to be able to support the customer with the actions available to this specific role. The team needs to be able to edit users as this is a regular support request from our customers.	Manage user accounts and settings, including administrative roles. Access to create, update, deleting users, resetting passwords, and managing user authentication details.

Vår produktutviklingsavdeling har følgende tilganger:

Role	Justification for needing the role	Actions available to the role
Global Reader	Services CSP - Support This role is necessary for support to have read access to almost everything in customers tenant. To be able to help our customers, we need to have access to the necessary information to assist our customers. Note: This role gives us no access to edit any configurations.	View all settings and configurations across Azure AD and Microsoft 365 services without edit permissions.

Role

Justification for needing the role

Actions available to the role

Global Reader

Services

CSP - Support
- This role is necessary for support to have read access to almost everything in customers tenant. To be able to help our customers, we need to have access to the necessary information to assist our customers.

Note: This role gives us no access to edit any configurations.

View all settings and configurations across Azure AD and Microsoft 365 services without edit permissions.

Tilgangstyring inn mot kunder