this post was submitted on 18 Aug 2023
13 points (88.2% liked)

Sysadmin

5574 readers
2 users here now

A community dedicated to the profession of IT Systems Administration

founded 5 years ago
MODERATORS
 

I’ve started at a medium-sized org (~1500 users) that has over a dozen global admins in 365, plus another 80 users with various 365 admin access. Does anyone have any tips for how to identify what access the users actually need?

I tried punching up a questionnaire with all of the available options, but my test group reported that it was too convoluted. I’m not sure how I can better identify their needs without interviewing them one-on-one, or just ripping away access and seeing who screams.

top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 1 year ago (1 children)

Create a model based on processes? Eg least priv for helpdesk for passwords, machine/intune mngt, etc., call it L1. Then add some roles for reporting, wiping/isolating machines or similar for the security team (call it L2 admin), etc.

[–] [email protected] 3 points 1 year ago (1 children)

Role-based access is absolutely the goal but I think I'm a ways away from identifying and implementing it. Responsibilities are too unclear and diverse right now.

I may need to just meet with each department manager and ask him or her what their team needs to be able to do.

[–] [email protected] 2 points 1 year ago

Honestly, it depends on your role within the company as well - if you are a CxO or from IAM/UAM domain, then you can just define a model for this particular “tool” and announce the upcoming change (ie prepare the roles and all, and then clean up existing roles/accesses) that X will happen in next, lets say, 45 days. This will make everyone jump on you of course, buuuuut thats what you want, as at least you will suddenly get people msging you regarding the “why” they need xyz role - et voila you now have your high level list of processes; adjust roles where needed and continue.

My view on this is that it also kinda depends on the company hierarchy and its sector, but you should be a little dictator - youll reap the rewards for being effective; its the others who ignored your call2action who are to blame :D

[–] [email protected] 2 points 1 year ago

Audit report?

[–] [email protected] 1 points 1 year ago (1 children)

Is there any way to look at what access people are actually using?

[–] [email protected] 1 points 1 year ago

I haven't found anything like a full report on admin right usage for all users. I'd hate to go user-by-user in audit reporting - At that point I may as well just interview them.