The Security and Compliance Center is a central piece of the story of security within Microsoft’s Office 365 cloud solution. Like previous workloads and products from Microsoft, the Security and Compliance Center (SCC) also relies on RBAC to parse out security within this workload. Some of the roles are easy to find and clear as to what they do. There is one that is a bit obtuse and confusing as to how to reveal who has it as well as how to assign it. Let me explain by reviewing a connection to the SCC for a test tenant.
RBAC Role Groups
Role Groups are essentially, as the name implies, a grouping of roles within the SCC. This means that the groups is a ‘natural grouping per Microsoft as to how things should be split within this workload. This is how they are seen with PowerShell:
Each has it’s place and its defined roles. What is missing, however, is a role called the eDiscoveryAdmin. This role is confusing because it can conflagrated with the eDiscoveryManager role group. Why is that? First, let’s explain what this role group is for. From Microsoft:
“eDiscovery Administrators – An eDiscovery Administrator is a member of the eDiscovery Manager role group, and can perform the same Content Search and case management-related tasks that an eDiscovery Manager can perform. Additionally, an eDiscovery Administrator can:
Access all cases that are listed on the eDiscovery cases page in the Security & Compliance Center. Access case data in Advanced eDiscovery for any case in the organization. Manage any eDiscovery case after they add themself as a member of the case.”
One of the notable issues is that we find that when a user is added to the eDiscovery Admin group, they are also effectively part of the eDiscovery Managers group. So if we were to review simply the Role Group cmdlets, we would only know half the store of a user in the Admin group. They would show in the manager group, but not reveal the other group. So how do we manage this special group?
Powershell
[sourcecode language=”powershell”]
Get-Command *CaseAdmin
[/sourcecode]
Simple enough. Add allows you to add another eDiscovery Case Admin, Get will display who is currently in the group and remove will remove one user from the group. Update is bit strange, but the intent is to allow you to replace an eDiscoveryCaseAdmin with another user, instead of just adding another to the list.
Important Aspects
One of the important aspects is that this role allows your account access to cases defined in the SCC that are not yours. So even if you were a Global Admin (GA) and had the eDiscoveryManager role assigned, you would not be able to open all cases. This role allows you to do so. Because of this stretch of rights, the eDiscoveryCaseAdmin role should be assigned as needed.