by Contributed | Jan 11, 2024 | Technology
This article is contributed. See the original author and article here.
As we ring in the start of 2024, we’re gearing up to showcase a host of new innovations across Microsoft Teams at the annual National Retail Federation (NRF) conference, taking place January 14th – January 16th in New York City.
We’re announcing new solutions designed to enable store teams to efficiently meet customers’ expectations and improve the retail experience in this new era of AI.
Keep reading below for the latest product and feature capabilities coming to Teams to help simplify operations and enable first-class retail experiences for all retail workers – including the frontline.
Enhanced Store Team Communication and Collaboration
Route announcements to frontline teams by location, department, and role
Target important announcements to the right frontline employees based on location, department, and job role information. Targeted announcements will surface on the Teams home experience so your frontline employees will never miss an important communication. This feature will be generally available in March 2024. Learn more.
Boost frontline teamwork with auto-generated role and department tagging
Reach the right person at the right time with automatic tags for your frontline teams. Tags for department and job roles can be configured and created automatically for your frontline workers in the Teams Admin Center. Frontline employees can leverage these automatic tags in their frontline teams to connect with the right person every time. This feature will be in public preview in February 2024. Learn more.
Bring answers to communities for easier information sharing
In Viva Engage in Teams, answers from Q&A conversations will now be available in communities, better enabling frontline workers to easily source needed information. This feature will be generally available January 2024.
Monitor how employee engagement drives business performance
Also coming to Viva Engage in Teams, network analytics will bring AI-powered theme extraction and employee retention metrics to users to help enhance insights into workforce dynamics and help drive informed decision making. This feature will be generally available in February 2024. Learn more.
Automatically hear push-to-talk transmissions from multiple channels
Frontline workers using Walkie Talkie in Teams now have the option to automatically hear incoming transmissions from any of their pinned favorite Teams channels. With this new feature, users can stay better connected to multiple channels without needing to switch channels manually. This feature will be generally available by end of month. Learn more on how to get started.
Use any generic wired (USB-C and 3.5mm) headset for instant team communication on Android
Frontline workers often need to instantly communicate with each other even when their phones are locked. We integrated Walkie Talkie in Teams with audio accessories partners to make this experience possible with the dedicated push-to-talk (PTT) button on headsets, which instantly brings up walkie talkie for clear and secure voice communication. In addition to select specialized headsets, we are excited to announce that Walkie Talkie in Teams will now work with any generic wired (USB-C and 3.5mm) headsets on Android.
As long as the generic headsets have a control to play/pause button or to accept/decline calls, frontline workers can tap the play/pause button to start and stop transmissions on walkie talkie. Frontline organizations will be able to easily start using walkie talkie with these lower-cost generic headsets. This feature will be generally available starting February 2024. Learn more.
Streamline Retail Store Operations
Allow frontline teams to set their shift availability for specific dates
Frontline workers will now have the flexibility to set their availability preferences on specific dates, enhancing their ability to manage unique scheduling needs. This added feature complements existing options for recurring weekly availability. This feature is available in January 2024. To learn more about recent enhancements to Shifts in Teams, read the latest blog – Discover the latest enhancements in Microsoft Shifts.
Easily deploy shifts at scale for your frontline
Teams admins can now standardize Shifts settings across all frontline teams and manage them centrally by deploying Shifts to frontline teams at scale in the Teams admin center. You can select which capabilities to turn on or off like (showing open shifts, swap shift requests, offer shift requests, time off requests, and time clock.)
Admins can also identify schedule owners and create scheduling groups uniformly for all frontline teams at the tenant level and create schedule groups and time-off reasons that will be set uniformly across all frontline teams. Your frontline managers are able to start using Shifts straight out-of-the-box with minimal setup required. This feature is currently in public preview and will be generally available in March 2024. Learn more.
Streamline Teams deployment for your frontline and manage at scale
Whether due to seasonality or the natural turnover seen on the frontline in retail, simplifying user membership is key to easing management needs. Now generally available, Microsoft has added new capabilities in the Teams Admin Center to deploy frontline dynamic teams at scale for your entire frontline workforce. Through the power of dynamic teams, team membership is automatically managed and always up to date with the right users as people enter, move within, or leave the organization using dynamic groups from Entra ID.
This deployment tool streamlines the admin experience to create a Teams structure that maps the frontline workforces’ real-world into digital world and makes it easy to set up a consistent channel structure to optimize for strong frontline collaboration on day one. Available in February, customers can use custom user attributes in Entra ID to define frontline and location attributes, with additional enhancements that make it easier to assign team owners by adding a people picker to the setup wizard.
Map your operational hierarchy to frontline teams
Admins will be able to set up their frontline operational hierarchy to map their organization’s structure of frontline locations and teams to a hierarchy in the Teams Admin Center. Admins can also define attributes for their teams that range from department information to brand information. The operational hierarchy coupled with this added metadata will enable frontline apps and experiences in the future like task publishing. This feature will be in public preview in January 2024. Learn more.
Leverage generative AI to streamline in-store shift management
Store managers can also identify items such as open shifts, time off, and existing shifts with a new Shifts plug-in for Microsoft 365 Copilot. Microsoft 365 Copilot can now ground prompts and retrieve insights for frontline managers leveraging data from the Shifts app in addition to user and company data it has access to such as Teams chat history, SharePoint, emails, and more.
Automate and simplify corporate to store task publishing
With task publishing, you can now create a list of tasks and schedule them to be automatically published to your frontline teams on a regular cadence, such as every month on the 15th. Once you publish a list, the task publishing feature will handle the scheduling and ensure that the list is published at the desired cadence. This feature is useful for tasks that need to be done regularly, such as store opening and closing processes or conducting periodic inspections and compliance checks. This feature will be generally available in March 2024.
Publish a task that everyone in the team must complete
This new capability provides the option to create a task that every member of the recipient team must complete. Organizations can assign tasks like complete training or review a new policy to all or a specific set of frontline workers. The task will be created for each worker at the designated location. This feature will become generally available in March 2024.
Require additional completion requirements for submitting tasks
When you create a task within the task publishing feature, you have the option to request a form and/or photo completion. When you publish that task, each recipient team will be unable to mark the task complete until the form is submitted by a member of the team. This ensures that the task is completed properly by each team member.
Additionally, with approval completion requirements, organizations can hold frontline managers and their teams accountable for verifying the work was done to standard before reflecting that work as completed. This allows an organization to increase attention to detail and accountability for important tasks. These features will become generally available in March 2024.
Secure and Manage your Business
Simplify authentication with domain-less sign-in
Since a single device is often shared among multiple frontline workers, they need to sign-in and out multiple times a day throughout a shift or across shifts. Typing out long user names with a domain is prone to mistakes and can be time consuming. With domain-less sign-in, frontline workers can now sign-in to Teams quicker using only the first part of their username (i.e., without the domain), then enter the password to access Teams on shared and corporate-managed devices. For example, if the username is 123456@microsoft.com or alland@microsoft.com, users can now sign in with only “123456” or “alland”, respectively.
We’re excited to share more updates and new features throughout the calendar year. To learn more about how Microsoft Teams empowers frontline workers, please visit our webpage to learn how.
by Contributed | Jan 11, 2024 | Business, Microsoft 365, Technology, Walkie Talkie
This article is contributed. See the original author and article here.
In the race to deliver engaging in-store experiences, Microsoft is uniquely positioned to equip retailers with the tech they need to transform their store team’s workdays. At the National Retail Federation (NRF) 2024, we are announcing new solutions designed to enable store teams to efficiently meet customers’ expectations and improve the retail experience in this new era of AI.
The post Level up your retail workforce with smart, simple solutions from Microsoft Teams appeared first on Microsoft 365 Blog.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
by Contributed | Jan 10, 2024 | Technology
This article is contributed. See the original author and article here.
One of the common adoption blockers we have heard of from our partners is that they cannot standardize their security and management practices on Microsoft 365 Lighthouse because they cannot manage all their customers using it. This has made it challenging to standardize procedures such as resetting passwords, identifying risky users, or simply navigating a customer admin portal with delegated access. While we made it simple to search and discover users across the SMB customers you were managing in Microsoft 365 Lighthouse, you still needed a second process for the customers you were not managing in Microsoft 365 Lighthouse. This was primarily due to the requirement for Microsoft 365 Business Premium. While we have expanded support for a limited set of subscriptions to manage a customer in Lighthouse over the past couple of years, it was still limited to subscriptions that offered premium security value, preventing you from having a single solution.
Today, we expand support for all your commercial and educational SMB customers. This enables you as a partner to create standardized processes for managing all your SMB customers in Lighthouse. Here are a few of the scenarios you can do now with all your Microsoft 365 SMB customers using Lighthouse:
Screenshot of Microsoft 365 Lighthouse showing how to search for a user and view the user’s details.
- Gain visibility into any Microsoft 365 incidents or advisories affecting your customers with a multi-tenant Service health dashboard.
Screenshot of Microsoft 365 Lighthouse Service Health page.
One of the challenges of managing multiple customers is that you often need to use different admin portals, such as the Microsoft 365 admin center, the Azure portal, Microsoft Intune, or Exchange, to name a few. Lighthouse lets you quickly and securely access other Microsoft admin portals for each of your SMB customers in the context of your partner tenant credentials using GDAP. Lighthouse users can leverage our security and management scenarios and seamlessly jump to another Microsoft admin portal when necessary.
Learn more: Manage your customers with Microsoft 365 Lighthouse
Screenshot of Microsoft 365 Lighthouse showing how to navigate into a customer’s Microsoft Entra admin portal.
We are just getting started and will continue to expand on the capabilities we offer to manage the breadth of customers you have in the coming months. So, check back often to learn what is new with Lighthouse.
Not able to manage a customer in Lighthouse?
Here are cases where you will still find that a customer has limited management capabilities in Lighthouse and how you can change it.
- By far, the most common cause a customer is “Limited” in that the customer tenant no longer has any active subscriptions and is no longer in use. If this is the case, the recommendation is to remove the reseller relationship (and GDAP relationships (Partner-led termination of a granular admin relationship – Partner Center | Microsoft Learn). It is a best practice to remove relationships that are no longer needed to reduce unnecessary exposure to your organization.
- The second most common cause a customer is “Limited” is that delegated permissions (GDAP) have not been setup. You can use the GDAP setup wizard within Lighthouse to resolve this (Set up GDAP for your customers in Microsoft 365 Lighthouse – Microsoft 365 Lighthouse | Microsoft Learn).
- customer tenant is in the Government Cloud. Unfortunately, we cannot support the management of this customer in Microsoft 365 Lighthouse.
- The customer is not an SMB and has more than 2,500 licensed users.
- You are not in the same geographic area as the customer. If you have customers in a different geographic area, you can set up Lighthouse in that region to manage them.
- Lastly, some cases exist where tenants are used for Azure and not Microsoft 365. In that case, we recommend you check out Azure Lighthouse: What is Azure Lighthouse? – Azure Lighthouse | Microsoft Learn
To know why a specific customer is limited, click on Tenants link from the left navigation within Lighthouse and click the “Limited” link to bring up details on why they are not fully managed in Lighthouse:
Tenant list showing Contoso as “Limited” because delegated access has not been configured.
If you have a customer tenant using the Microsoft 365 services and you only have Limited management capabilities within Lighthouse, we want to know. You can leave comments below or use the feedback mechanism in Lighthouse. We want to enable you to manage all your active Microsoft 365 SMB customer tenants in Lighthouse.
If you already have Lighthouse, sign in and check out the links to other Microsoft admin centers at lighthouse.microsoft.com. If you don’t have Lighthouse, Sign up for Microsoft 365 Lighthouse to get started today.
by Contributed | Jan 9, 2024 | Technology
This article is contributed. See the original author and article here.
The start of a new year is often seen as a time to reflect on the past, plan for the future, and set New Year’s resolutions for ourselves. It is also a key time for business leaders to set goals to help their organizations and teams accomplish more in the new year, whether those goals are a new product release, business growth, or workplace culture improvement.
Furthermore, we know that simply writing down your goals is often not enough to achieve them! You also need to communicate your goals with key stakeholders, track your progress, and measure your results. This can be challenging, especially if your organization has multiple goals, competing priorities, or cross-team dependencies.
This is where Viva Goals and Microsoft Copilot can help.
Viva Goals is Microsoft’s solution for creating, managing, and tracking organizational goals. It is founded on the Objective and Key Result (OKR) framework, yet can be customized to meet other goal-setting strategies. To learn more about changing your goal terms from “Objectives and Key Results” to other frameworks or labels, visit our page on customizing terminology in Viva Goals.
With the content generation and summarization capabilities in Copilot in Viva Goals, creating and tracking your goals is becoming even easier.
Quickly create your goals with Copilot in Viva Goals
One challenge we frequently hear from customers is uncertainty about getting started with writing actionable, outcome-driven goals. Setting appropriate and ambitious goals can be daunting, but using Copilot can make the process easier.
From a quick click of the “Copilot” button in the Viva Goals app (available on Microsoft Teams or in your browser), Copilot is ready to help you generate new goals or OKRs:
Copilot in Viva Goals can be accessed from the tool bar or the Copilot icon within Viva Goals.
Copilot in Viva Goals can help you generate goals in two different ways:
Generating new goals based on context you provide (ex: industry, roles, business mission)
Clicking “Help me generate new OKRs” means Copilot will help you in crafting OKRs, using the conversational interface and its repository of sample OKRs.
Copilot in Viva Goals will generate goals based on prompts or information you provide in the chat.
By asking Copilot to “Write an OKR for this year’s plans to roll out Microsoft Copilot to employees across my organization,” you may get a result like:
Objective: Roll out Microsoft Copilot to employees across the organization
Key Result (KR): Train 60% of our employees on the basics of taking the “Copilot for Microsoft 365” training in Viva Learning
KR: Set up all required infrastructure and hardware to support Microsoft Copilot for these employees
KR: Ensure 60% all newly hired employees have used Microsoft Copilot in their first month of onboarding
Note that this content is AI-generated and will change based on inputs / sample data.
Using the Copilot interface, you can ask Copilot to regenerate these OKRs, refine them (“be more conservative,” “increase the adoption rate,” etc.), or publish them to your Viva Goals instance.
Generating goals from a document you provide (ex: business plan, strategy paper)
Oftentimes, business leaders will already have strategy or business planning documents they have been circulating with their leadership teams. This can be a great place to get started: by uploading these strategy documents to Viva Goals , Copilot can then identify potential goals from the document and format into actionable OKRs. This capability is currently available for local .docx files, and will be expanding file types and file sources in the coming months.
Copilot in Viva Goals can use content from your existing documents to suggest outcome-based goals.
One thing to remember: using Copilot means that you, as the user, are always in control of what gets saved, published, and shared.
Copilot in Microsoft 365 can also be helpful in writing goals
For users that are not currently using Viva Goals, or are looking for suggestions on annual goals elsewhere, Copilot in M365 can be a great place to get started. Copilot in Word or in the Microsoft Copilot web experience can be great resources for creating the right goals for you and your organization. You can use prompts like “Write 3 OKRs for building a new (product/service) in the new year” or “Provide some goal suggestions for boosting employee morale” and work with Microsoft Copilot to refine these goals.
Furthermore, at Ignite last November (2023), we also announced that Microsoft 365 Copilot will be enhanced with Viva in early 2024. This means users will have access to Viva functionality within the Copilot for Microsoft 365 experience, including a chat experience that works across Viva data and apps to support employees, managers, and leaders. To learn more, check out the announcement from our blog in November, New ways Microsoft Copilot and Viva are transforming the employee experience.
Just make sure that after creating your goals, you are communicating these goals to your stakeholders and tracking your progress!
Summarizing your goals with Copilot
With Copilot, it is even easier to summarize and share your goal progress. Copilot uses context from your goal status updates and check-ins to generate summaries of your progress, making it even easier to share your current status with other teams and leadership.
Copilot in Viva Goals will quickly summarize your goals for easy sharing.
You can work with Copilot to tailor the update messages to your audience by asking the conversational AI to make the summary content more succinct, detailed, or professional. Looking to quickly share these updates with your teams, audiences or stakeholders? Use functionality within Viva Goals to broadcast your updates to email via Outlook or to post on Viva Engage with just a few clicks.
With the Viva Goals integration into Viva Engage, it’s easier than ever to share your team goals with your community.
It has never been easier to get started with setting and tracking your goals with Microsoft and Viva Goals, especially with the power of AI. Always make sure to review Copilot’s responses to make sure the suggestions and content it presents are relevant to your organization and your goals.
Set your 2024 Goals with Copilot today
Copilot in Viva Goals is available to Viva suite customers in public preview since December 2023 and will be Generally Available in early 2024. NOTE: Customers with Viva suite licenses interested in using Copilot in Viva Goals should work with their IT Admins to enable public preview of Copilot for users from their Microsoft Admin Center. To learn more about enabling Copilot in Viva Goals, please visit our Copilot in Viva Goals documentation.
Microsoft will also be hosting a webinar session on January 31st, 8am US-PT, for those interested in a live demo and to hear how Copilot in Viva Goals is helping address goal-setting and tracking challenges. More details available at Microsoft Virtual Event “Discovering the Power of Copilot in Viva Goals”.
Have feedback about Copilot in Viva Goals? Use the feedback tool in Viva Goals to let us know your thoughts.
From the Microsoft Viva Goals team to yours, we wish you success in achieving your goals in the new year!
by Contributed | Jan 8, 2024 | Technology
This article is contributed. See the original author and article here.
One of the best practices for securing your organization’s data is to follow the principle of least privilege, which means granting users the minimum level of permissions they need to perform their tasks. Microsoft Entra ID helps you apply this principle by offering a wide range of built-in roles as well as allowing you to create custom roles and assign them to users or groups based on their responsibilities and access needs. You can also use Entra ID to review and revoke any role assignments that are no longer needed or appropriate.
It can be easy to lose track of role assignments if admin activities are not carefully audited and monitored. Routine checks of role assignments and generating alerts on new role assignments are one way to track and manage privileged role assignment.
Chances are that when a user with privileged roles is approached, they’ll say they need the role. This may be true; however, many times users will unknowingly say they need those permissions to carry out certain tasks when they could be assigned a role with lower permissions. For example, a user will be able to reset user passwords as a Global Administrator, but that does not mean they can’t do that with another role with far less permissions.
Defining privileged permissions
Privileged permissions in Entra ID can be defined as “permissions that can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data.” Entra ID roles each have a list of permissions defined to them. When an identity is granted the role, the identity also inherits the permissions defined in the role.
It’s important to check the permissions of these roles. The permissions defined in all built-in roles can be found here. For example, there are a few permissions that are different for the Privileged Authentication Administrator role than the Authentication Administrator role, giving the former more permissions in Entra ID. The differences between the authentication roles can be viewed here.
Another example of having differences between similar roles is for the end user administration roles. The differences and nuances between these roles are outlined in detail here.
Auditing activity
To decide if a user really needs a role, it’s crucial to monitor their activities and find the role with the least privilege that allows them to carry out their work. You’ll need Entra ID audit logs for this. Entra ID audit logs can either be sent to a Log Analytics Workspace or connected to a Sentinel instance.
There are two methods that can be used to get the events of carried out by admin accounts. The first will make use of the IdentityInfo table, which is only available in Sentinel after enabling User and Entity Behavior Analytics (UEBA). If you aren’t using UEBA in Sentinel or if you’re querying a Log Analytics Workspace, then you’ll need to use the second method in the next heading.
Using Microsoft Sentinel
To ingest Entra ID audit logs into Microsoft Sentinel, the Microsoft Entra ID data connector must be enabled, and the Audit Logs must be ticked as seen below.
Figure 1 Entra ID data connector in Sentinel with Audit logs enabled
The IdentityInfo table stores user information gathered by UEBA. Therefore, it also includes the Entra ID roles a user has been assigned. This makes it very simple to get a list of accounts that have been assigned privileged roles.
The query below will give a unique list of activities an account has taken, as well as which roles the account has been assigned:
AuditLogs
| where TimeGenerated > ago(90d)
| extend ActorName = iif(
isnotempty(tostring(InitiatedBy["user"])),
tostring(InitiatedBy["user"]["userPrincipalName"]),
tostring(InitiatedBy["app"]["displayName"])
)
| extend ActorID = iif(
isnotempty(tostring(InitiatedBy["user"])),
tostring(InitiatedBy["user"]["id"]),
tostring(InitiatedBy["app"]["id"])
)
| where isnotempty(ActorName)
| join (IdentityInfo
| where TimeGenerated > ago(7d)
| where strlen(tostring(AssignedRoles)) > 2
| summarize arg_max(TimeGenerated, *) by AccountUPN
| project AccountObjectId, AssignedRoles)
on $left.ActorID == $right.AccountObjectId
| summarize Operations = make_set(OperationName) by ActorName, ActorID, Identity, tostring(AssignedRoles)
| extend OperationsCount = array_length(Operations)
| project ActorName, AssignedRoles, Operations, OperationsCount, ActorID, Identity
| sort by OperationsCount desc
This will give results for all accounts that carried out tasks in Entra ID and may generate too many operations that were not privileged. To filter for specific Entra ID roles, the following query can be run where the roles are defined in a list. Three roles have been added as examples, but this list can and should be expanded to include more roles:
let PrivilegedRoles = dynamic(["Global Administrator",
"Security Administrator",
"Compliance Administrator"
]);
AuditLogs
| where TimeGenerated > ago(90d)
| extend ActorName = iif(
isnotempty(tostring(InitiatedBy["user"])),
tostring(InitiatedBy["user"]["userPrincipalName"]),
tostring(InitiatedBy["app"]["displayName"])
)
| extend ActorID = iif(
isnotempty(tostring(InitiatedBy["user"])),
tostring(InitiatedBy["user"]["id"]),
tostring(InitiatedBy["app"]["id"])
)
| where isnotempty(ActorName)
| join (IdentityInfo
| where TimeGenerated > ago(7d)
| where strlen(tostring(AssignedRoles)) > 2
| summarize arg_max(TimeGenerated, *) by AccountUPN
| project AccountObjectId, AssignedRoles)
on $left.ActorID == $right.AccountObjectId
| where AssignedRoles has_any (PrivilegedRoles)
| summarize Operations = make_set(OperationName) by ActorName, ActorID, Identity, tostring(AssignedRoles)
| extend OperationsCount = array_length(Operations)
| project ActorName, AssignedRoles, Operations, OperationsCount, ActorID, Identity
| sort by OperationsCount desc
Once the query is run, the results will give insights into the activities performed in your Entra ID tenant and what roles those accounts have. In the example below, the top two results don’t pose any problems. However, the third row contains a user that has the Global Administrator role and has created a service principal. The permissions needed to create a service principal can be found in roles less privileged than the Global Administrator role. Therefore, this user can be given a less privileged role. To find out which role can be granted, check this list, which contains the least privileged role required to carry out specific tasks in Entra ID.
Figure 2 Actions taken by users in Entra ID
Using Log Analytics Workspace
Figure 3 Configuring the forwarding of Entra ID Audit logs to a Log Analytics Workspace
To ingest Entra ID audit logs into a Log Analytics Workspace follow these steps.
Because there is no table that contains the roles an identity has been granted, you’ll need to add the list of users to the query and filter them. There are multiple ways to get a list of users who have been assigned a specific Entra ID role. A quick way to do this is to go to Entra ID and then select Roles and administrators. From there, select the role and export the identities that have been assigned to it. It’s important to have the User Principal Names (UPNs) of the privileged users. You’ll need to add these UPNs, along with the roles the user has, to the query. Some examples have been given in the query itself. If the user has more than one role, then all roles must be added to the query.
datatable(UserPrincipalName:string, Roles:dynamic) [
"admin@contoso.com", dynamic(["Global Administrator"]),
"admin2@contoso.com", dynamic(["Global Administrator", "Security Administrator"]),
"admin3@contoso.com", dynamic(["Compliance Administrator"])
]
| join (AuditLogs
| where TimeGenerated > ago(90d)
| extend ActorName = iif(
isnotempty(tostring(InitiatedBy["user"])),
tostring(InitiatedBy["user"]["userPrincipalName"]),
tostring(InitiatedBy["app"]["displayName"])
)
| extend ActorID = iif(
isnotempty(tostring(InitiatedBy["user"])),
tostring(InitiatedBy["user"]["id"]),
tostring(InitiatedBy["app"]["id"])
)
| where isnotempty(ActorName) ) on $left.UserPrincipalName == $right.ActorName
| summarize Operations = make_set(OperationName) by ActorName, ActorID, tostring(Roles)
| extend OperationsCount = array_length(Operations)
| project ActorName, Operations, OperationsCount, Roles, ActorID
| sort by OperationsCount desc
Once you run the query, the results will give insights into the activities performed in your Entra ID tenant by the users you have filtered for. In the example below, the top two results can cause problems. Both have the Global Administrator role, but their operations don’t necessitate to have that role. The permissions needed for these operations can be found in roles less privileged than the Global Administrator role. Therefore, these users can be given a less privileged role. To find out which role can be granted, check this list, which contains the least privileged role required to carry out specific tasks in Entra ID.
Figure 4 Actions taken by users in Entra ID
If this user still requires the Global Administrator role then the Security Administrator role will become redundant as the Global Administrator contains more permissions than the Security Administrator role.
Conclusion
Keeping accounts with privileges that are not required is keeping your attack surface greater than it needs to be. By ingesting Entra ID Audit logs, you can query and identify users who have unnecessary and over-privileged roles. You can then find a suitable alternative role for them.
Timur Engin
LinkedIn Twitter
Learn more about Microsoft Entra:
Recent Comments