MSFT are introducing a new Azure Active Directory (AD) role called global reader.
MSFT started the roll out and will be completed worldwide in October, 2019.
Global reader is the read-only counterpart to global administrator. Users in this role can read settings and administrative information across Microsoft 365 services but cannot take management actions.
It is available in my tenant (below screenshot).
MSFT created the global reader role to help reduce the number of global administrators in your organization. Because global administrator accounts are powerful and vulnerable to attack, MSFT recommend that you have fewer than five global administrators.
Assign global reader instead of global administrator for planning, audits, or investigations.
Use global reader in combination with other limited admin roles like Exchange administrator to make it easier to get work done without the invoking the global administrator role.
Global reader works with the new Microsoft 365 admin center, Exchange admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.
Note: At public preview launch, global reader does not work with SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, or the following features within Teams: Teams Lifecycle, Reporting & Call Analytics, IP Phone Device Management, and App Catalog. All of these services will work with global reader in the future.
This role will be added advantage for SharePoint Online admins to understand the integrations between features in M365/o365.
To get the most value from this new feature, we suggest that you identify the admins in your organization who should have the global reader role assigned to them. For example:
Remove the global admin role and assign global reader, and any other essential limited roles, to individuals and admins who can complete their tasks with only the global reader role or the role in combination with limited admin roles like Exchange admin or user admin.
Assign the global reader role to individuals in your organization who don’t have admin center access today and are dependent on coworkers for getting the administrative information they need for their work.
No comments:
Post a Comment