New (compliance) Management roles introduced in Exchange Online RBAC

Back when Microsoft first introduced the Security and Compliance Center, it used the Exchange RBAC model to delegate access to various functionalities. This remains valid to this day, even though the SCC has since been replaced by the standalone Compliance (Purview) and Security (Defender) portals. This is not necessarily a bad thing, as the Exchange RBAC model has proven its effectiveness (and robustness) over the years. The major problem with the implementation of RBAC within the Compliance and Security portals remains visibility, as many of the underlying cmdlets are not available or their output has been stripped down to something less than useful.

Anyway, the purpose of this article is not to discuss the model in detail, but to simply introduce you to few new roles that have become available over the last few weeks. All of them pertain to “solutions” within the Compliance portal, such as Information protection or Insider Risk management. Without further ado, here’s the list, sorted by the Role creation date:

Get-RoleGroup | sort WhenCreated | ft Name,WhenCreated,Roles

Name WhenCreated Roles
---- ----------- -----
Compliance Administrator 07/04/2023 09:05:17 {Communication Compliance Admin, Insider Risk Management Admin}
Privacy Management 07/04/2023 09:05:18 {Privacy Management Admin, Privacy Management Investigation}
Communication Compliance 07/04/2023 09:05:18 {Communication Compliance Investigation, Communication Compliance Admin}
Privacy Management Investigators 07/04/2023 09:05:18 {Privacy Management Investigation}
Privacy Management Administrators 07/04/2023 09:05:18 {Privacy Management Admin}
Insider Risk Management Admins 07/04/2023 09:05:18 {Insider Risk Management Admin}
Insider Risk Management 07/04/2023 09:05:18 {Insider Risk Management Investigation, Insider Risk Management Admin}
Communication Compliance Administrators 07/04/2023 09:05:18 {Communication Compliance Admin}
Insider Risk Management Investigators 07/04/2023 09:05:18 {Insider Risk Management Investigation}
Information Protection Investigators 07/04/2023 09:05:19 {Information Protection Investigator}
Information Protection Readers 07/04/2023 09:05:19 {Information Protection Reader}
Information Protection Analysts 07/04/2023 09:05:19 {}
Information Protection 07/04/2023 09:05:19 {Information Protection Investigator, Information Protection Reader, Information Protection Admin}
Information Protection Admins 07/04/2023 09:05:19 {Information Protection Admin}

where I’ve filtered out any of the “old” roles – in my tenant this corresponds to roles created before April 7th, 2023, but results might vary.

As a Role Group is basically a collection of Management roles, it’s worth examining the “content” of the corresponding (and newly introduced) roles. Unfortunately, we’re again facing the “black box” issue of cmdlets having stripped down output, both when using Exchange Online or Security and Compliance PowerShell sessions. Thus, the output below which is supposed to give you a list of all PowerShell cmdlets included in a specific management role, is a bit useless:

Get-ManagementRole | ? {$_.WhenCreated -ge "01/04/2023"} | select Name,@{n="Cmdlets";e={(($_.RoleEntries.Split("`n") | % { $_.Split(" ")[1] }) -join ",")}}

Name Cmdlets
---- -------
Communication Compliance Admin Test-TextExtraction
Communication Compliance Investigation Test-TextExtraction
Information Protection Admin Test-TextExtraction
Information Protection Investigator Test-TextExtraction,Search-UnifiedAuditLog
Information Protection Reader Test-TextExtraction,Search-UnifiedAuditLog,Get-MailTrafficSummaryReport,Get-MailTrafficReport
Insider Risk Management Admin Test-TextExtraction
Insider Risk Management Investigation Test-TextExtraction
Privacy Management Admin Test-TextExtraction
Privacy Management Investigation Test-TextExtraction

As you can see, most of the newly introduced management roles feature a single Exchange Online cmdlet, namely Test-TextExtraction. This hardly matches the description of the role and the set of actual features it gives access to, but it’s the best we can get out of the limited output.

As to why this roles have been introduced, and their importance, my best guess would be that they relate to the recently introduced support for scoping Compliance functionalities based on Administrative units.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.