Wednesday, April 20, 2022

Microsoft Purview- Paint By Numbers Series (Part 0a) - Permissions

paint_by_numbers_splash_picture.jpg

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

This Permissions section of this blog series is aimed at Security and Compliance officers who are looking to understand what permissions are needed to run the Compliance center workloads, and specifically run the workloads detailed in this blog series.

 

Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Purview through.

We will walk through adding Purview-related permissions. Here are the permissions that you will need:

  • Compliance Administrator
  • eDiscovery Manager
  • Content Explorer Content Explorer

 

 

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Purview, including:

  • Sensitive Information Types
  • Exact Data Matching
  • Sensitivity Labeling
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Advanced eDiscovery (AeD)
  • Insider Risk Management
  • Privacy Management

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

 

Overview of Document

  1. We will add Compliance Permissions to an individual user in our tenant

 

 

Use Case

  • N/A

 

 

Definitions

  • N/A

 

Notes

  • For production environments, it is recommended you work with Microsoft or a Microsoft Partner to refine the permission you will be using for Purview
  • The permissions used in this document and blog series are meant to give broad control over your Purview components so that you can successfully run the configurations and tests in this blog series.

 

 

Requirements

  • You have a test account to run the activities in this blog series.
  • You have access to the compliance portal for your tenant (compliance.microsoft.com)

 

Pre-requisites

  • You must have access to the compliance portal for your tenant (compliance.microsoft.com)
  • You must have a Global Admin to be able to enable the permissions for your test user.

 

Microsoft and Zero Trust

For Microsoft, Zero Trust is not a tool or solution.  It is a mindset and a process. Here are the 3 principles of the Microsoft Zero Trust approach to security.

 

 

James_Havens_0-1650479562092.png

 

 

 

For more information about the Microsoft approach to Zero Trust, please look at the links in the Appendix and Links section below.

 

 

 

Enable Permissions

We will walk through adding Purview-related permissions. Here are the permissions that you will need perform the activities in this blog series:

  • Compliance Administrator – Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.
  • eDiscovery Manager – Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery.
  • Content Explorer Content Viewer – View the contents files in Content explorer.

 

 

 

 

 

  1. Go to compliance.microsoft.com with your administrator account.

 

  1. Click on Permissions in the left-hand side.

 

James_Havens_1-1650479562094.png

 

 

  1. On the right-hand panel, click on View and Manage used to perform solution-specific tasks in the compliance center – Roles.

 

 

James_Havens_2-1650479562099.png

 

 

 

Compliance Administrator

 

  1. In the search field on the right, type “compliance” and then click the search button

 

 

James_Havens_3-1650479562117.png

 

 

  1. Select the Compliance Administrator role and in the popup window on the right, click Edit Role Group.

 

James_Havens_4-1650479562118.png

 

 

  1. Click Choose Members and select the Edit option.

 

James_Havens_5-1650479562119.png

 

 

  1. Click Add

 

James_Havens_6-1650479562119.png

 

 

  1. Enter the name of the user you wish to make a Comliance Administrator, then click Add

 

James_Havens_7-1650479562122.png

 

 

  1. Click Done

 

 

 

 

eDiscovery Administrator

 

  1. In the search field on the right, type “ediscovery” and then click the search button

 

James_Havens_8-1650479562125.png

 

 

  1. Select the Compliance Administrator role and in the popup window on the right, click Edit Role Group.

 

James_Havens_9-1650479562126.png

 

 

  1. Click Choose Members and select the Edit option.

 

James_Havens_10-1650479562127.png

 

 

  1. Click Add

 

James_Havens_11-1650479562128.png

 

 

  1. Enter the name of the user you wish to make a Comliance Administrator, then click Add

 

James_Havens_12-1650479562130.png

 

 

  1. Click Done

 

 

Content Explorer Content Viewer

 

  1. In the search field on the right, type “content” and then click the search button

 

James_Havens_13-1650479562137.png

 

 

  1. Select the Compliance Administrator role and in the popup window on the right, click Edit Role Group.

 

James_Havens_14-1650479562138.png

 

 

  1. Click Choose Members and select the Edit option.

 

James_Havens_15-1650479562138.png

 

 

  1. Click Add

 

James_Havens_16-1650479562139.png

 

 

  1. Enter the name of the user you wish to make a Comliance Administrator, then click Add

 

James_Havens_17-1650479562142.png

 

 

  1. Click Done

 

 

Appendix and Links

 

Zero Trust Model - Modern Security Architecture | Microsoft Security

 

Comprehensive Security for Business | Microsoft Security

 

Implementing a Zero Trust security model at Microsoft

 

Conditional Access for Zero Trust - Azure Architecture Center | Microsoft Docs

Conditional Acces s design principles and dependencies - Azure Architecture Center | Microsoft Docs

 

Learn about data classification - Microsoft Purview | Microsoft Docs

 

Get started with content explorer - Microsoft Purview | Microsoft Docs

 

Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs

 

Assign eDiscovery permissions in the Microsoft Purview compliance portal - Microsoft Purview | Microsoft Docs

 

Permissions - Security & Compliance Center - Office 365 | Microsoft Docs

 

Permissions in the Microsoft Purview compliance portal - Microsoft Purview | Microsoft Docs

 

 

Posted at https://sl.advdat.com/3jUPCsThttps://sl.advdat.com/3jUPCsT