Personas

This article describes the personas we've identified for Microsoft365DSC and provides additional insights about what each one is trying to achieve and how we recommend they configure authentication. For each persona, we provide the permissions that are required to either deploy configuration changes (including creating new instances of components) and to backup and monitor these configuration settings. If you are only interested in taking snapshots/backups of current configuration settings or to monitor existing settings for configuration drifts, than only read-only permissions are required (with some exceptions). On the other hand, if you are trying to create new instances of components (e.g., new policy) or to update existing ones, then write permissions will also be needed on top of the read permissions.

As mentioned in our User Guide section, there are three main types of authentication allowed in Microsoft365DSC:

  • Credentials: which uses a user's account to authenticate using a username/password combination. This type of authenticate requires Role-Based Access Control (RBAC) permissions to be granted to the account. For credential authentication to work with Microsoft Graph based resources, a combination of RBAC permission on the user account as well as API Permissions on the Microsoft Graph Command Line Tools enterprise app will need to be granted. These roles and permissions can be determined by looking at the settings.json file of the associated resources you are trying to interact with.


    For example, if you are trying to use Credentials authentication to monitor Azure AD Conditional Access Policies, the user account will need to be granted the Security Reader RBAC permission at a minimum and the Microsoft Graph Command Line Tools enterprise app will need to be granted the Policy.Read.All API permission.


  • Service Principal: which requires the organization to define an Azure AD app registration and grant it the proper API permissions (or assign it to RBAC roles). This type of authentication requires the users to specify an Application ID and Certificate Thumbprint or Application Secret combination to authenticate.

  • Managed Identity: which is not covered as part of this article due to the lack of support across all workloads.

Azure AD/ Entra

Identity Administrator
Description:

The Identity Administrators are responsible managing users and groups settings. As part of their role, they are responsible for defining what permissions users and service principals are granted in the tenant. They are dealing with components such as:

  • AADAdministrativeUnit
  • AADApplication
  • AADGroups
  • AADGroupsNamingPolicy
  • AADRoleDefinition
  • AADServicePrincipal
  • AADUser
  • Etc.
Associated Azure AD Roles:

Create & Update:

  • Groups Administrator
  • Identity Governance Administrator
  • Security Administrator
  • User Administrator

Export & Monitor:

  • Global Reader
  • Security Reader

Security Administrator
Description:

The Security Administrators are responsible for defining new Entra Identity policies, make updates to existing ones and monitor them for configuration drifts at scale and across one or multiple tenants. Their goal is to ensure the overal security of the tenant by ensuring only authorized users can perform certain tasks. They are dealing with components such as:

  • AADAuthenticationMethodPolicy
  • AADAuthorizationPolicy
  • AADConditionalAccessPolicy
  • AADCrossTenantAccessPolicy
  • AADEntitlementManagementAccessPackage
  • Etc.
Associated Azure AD Roles:

Create & Update:

  • Authentication Policy Administrator
  • Conditional Access Administrator
  • Privileged Role Administrator
  • Security Administrator

Export & Monitor:

  • Global Reader
  • Security Reader

Exchange Online

Exchange Administrator
Description:

The Exchange Administrators are responsible for ensuring the proper functioning of the mail and calendar functionality as well as securing communications between internal employees and with external entities. They are dealing with components such as:

  • EXOAntiphishPolicy
  • EXOMalwareFilterRule
  • EXOPerimeterConfiguration
  • EXOTransportRule
  • Etc.
Associated Azure AD Roles:

Create & Update:

  • Exchange Administrator

Export & Monitor:

  • Global Reader
  • Security Reader

Microsoft Teams

Teams Collaboration Administrator
Description:

The Teams Collaboration Administrators are responsible for ensuring the proper functioning of the Teams collaboration features, such as managing channels, managing teams, etc. and for their associated policies (e.g., Teams Channel Policies, Teams Messaging Policies, etc.). They are dealing with components such as:

  • TeamsAppPermissionPolicy
  • TeamsChannel
  • TeamsMessagingPolicy
  • TeamsShiftPolicy
  • Etc.
Associated Azure AD Roles:

Create & Update:

  • Teams Administrator

Export & Monitor:

  • Global Reader

Teams Voice Administrator
Description:

The Teams Voice Administrators are responsible for ensuring the proper functioning of the voice features in Teams, such as managing IP Phone policies, Voicemail settings, Dial plans, etc. They are dealing with components such as:

  • TeamsEmergencyCallingPolicy
  • TeamsIPPhonePolicy
  • TeamsOnlineVoicemailPolicy
  • TeamsTenantDialPlan
  • Etc.
Associated Azure AD Roles:

Create & Update:

  • Teams Administrator

Export & Monitor:

  • Global Reader