Phone icons for Microsoft apps with Microsoft folder title.

Just my Opinion but Maybe M365 Permissions are Too Complicated

ByMike McBride Reading Time: 2 minutes

I have long thought M365 is too complicated for anyone to understand all of it deeply.

Then I learned that Entra ID has 116 different roles.:

People Administrator is the 116th Entra ID Role

Lest you think that is all, let me also share this great piece about the 64 roles available in Microsoft Purview.

I understand that permissions should be given on a least-privileged basis and that dividing these roles allows people to be granted access to just what they need without giving them too much access, but at what point does this become too confusing? In other words, by creating these many different roles, do we assume more risk in granting permissions blindly? How many Global Administrators can track who needs which roles, and how many organizations grant the Global role instead of constantly resetting a user’s role whenever there’s a new feature?

For example, I’m not a Global Admin at work. I don’t want to be. I want nothing to do with resetting passwords, being an Exchange Admin or working with Conditional Access policies, among other things. I don’t know enough to feel comfortable stepping in to fill those roles so I should not have access.

On the other hand, I am responsible for group management, Teams and SharePoint Admin roles, and many of the items inside Purview for data governance, AI compliance, records, and eDiscovery. Thus, I have a bunch of different roles.

I also remember a few years ago when I got locked out of a tenant where I had many different roles because my login would time out trying to apply them all. (It happens!) Whoops!

I could see a day when this process gets old and making someone a Global Admin is less tedious.

That should never be the rationale, but if we make security so tedious that it’s difficult to understand and track, some organizations will err on the side of convenience rather than security.

That’s a risk. I’d love to see Microsoft make these roles more efficient, but I also understand that the M365 environment is so complex and multifaceted that you need to accommodate people who need to wear many different hat iterations. If anything, these roles should remind us just how significant this environment is and how much know-how it takes to manage efficiently.

Similar Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)