MB-200: Microsoft Dynamics 365 Customer Engagement Core – 365 Admin Roles

January 24, 2020

I am creating a series of blog posts that collectively are designed to help anyone preparing for the Microsoft Dynamics 365 Customer Engagement Core exam. (aka MB-200) In this post I will look at concepts around 365 admin roles.

You can see below that we have a section of the exam which covers security. Within this section needing to know about the Dynamics 365 admin roles is highlighted

We have seen in other posts that Dynamics users are created in the 365 admin center then assigned a role in Dynamics 365. Assigning this role governs what features of Dynamics 365 will be available and what access they receive to what records. But within Office 365 we also have a number of administration roles which allow the management of users, subscriptions and services available to the organization as a whole.

You will find the 365 at https://admin.microsoft.com/

I guess one of the most import 365 admin roles of the Global Admin as they have complete access to everything!

Global Administration Role

When creating users they will typically just have a “user” role, meaning they have no access to the admin center. But we can grant one (or more) admin roles. One of the available roles is “Global Admin”.

Global Administrators can perform any management activities in the Office 365 admin center. They are your “top level” administrators. Your global administrators will, by default, also have systems administration privileges in Dynamics 365.

You can see my roles below, notice that I am a global admin.

Tip:
Also below notice that a user can’t change their own roles. (Not even global admins!)

Note:
Global administrators are automatically assigned a systems admin role in Dynamics 365. Importantly this means they can access Dynamics 365 without being assigned a license. BUT, they cannot see any records without a license! Therefore typically they will need a license that will grant them full read-write access in Dynamics 365. If a Global Admin is created without a license their access type in Dynamics 365 would be administrative rather than “read-write”.

Other Administrator Roles

It is also possible to allocate one or more specific admin features to a user. This is useful when you need to grant limited admin capabilities to a user, without having to give them the full power of the global administrator.

There are a number of common admin roles which are always shown whilst maintaining roles. But clicking the “show all by category” option will expand the list revealing numerous other roles.

Learning the key capabilities many of the roles might be a useful part of your revision! Take time to study each role and consider what capabilities and limitations each one would have.

Below you can see a summary of the major admin roles listed above.

Role	Details
Global Administrator	Assign the Global admin role to users who need global access to most management features and data across Microsoft online services. Only global admins can: – Reset passwords for all users – Add and manage domains Note: The person who originally signed up for Microsoft online services automatically becomes a Global admin.
Exchange Admin	Assign the Exchange admin role to users who need to view and manage your user’s email mailboxes, Office 365 groups, and Exchange Online. Exchange admins can also: – Recover deleted items in a user’s mailbox – Set up “Send As” and “Send on behalf” delegates
Global Reader	Assign the global reader role to users who need to view admin features and settings in admin centers that the global admin can view. The global reader admin can’t edit any settings.
Helpdesk Admin	Assign the Helpdesk admin role to users who need to do the following: – Reset passwords – Force users to sign out – Manage service requests – Monitor service health Note: The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader.
Service Support Admin	Creates service requests for Azure, Microsoft 365, and Office 365 services, and monitors service health.
SharePoint Admin	Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. SharePoint admins can also: – Create and delete sites – Manage site collections and global SharePoint settings
Teams Admin	Assign the Teams admin role to users who need to access and manage the Teams admin center. Teams admins can also: – Manage meetings – Manage conference bridges – Manage all org-wide settings, including federation, teams upgrade, and teams client settings
User Admin	Assign the User admin role to users who need to do the following for all users: – Add users and groups – Assign licenses – Manage most users properties – Create and manage user views – Update password expiration policies – Manage service requests – Monitor service health The user admin can also do the following actions for users who aren’t admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: – Manage usernames – Delete and restore users – Reset passwords – Force users to sign out – Update (FIDO) device keys

In addition to the roles above many others exist! I will not attempt to cover all of them here, but a few warrant mention ….

Role	Details
Billing Administrator	Makes purchases, manages subscriptions, manages service requests, and monitors service health.
Dynamics 365 admin	Full access to Microsoft Dynamics 365 Online, manages service requests, monitors service health.
Groups Admin	Assign the groups admin role to users who need to manage all groups settings across admin centers, including the Microsoft 365 Admin Center and Azure Active Directory portal. Groups admins can: – Create, edit, delete, and restore Office 365 Groups – Create and update group creation, expiration, and naming policies – Create, edit, delete, and restore Azure Active Directory security groups
Office Apps admin	Assign the Office Apps admin role to users who need to do the following: – Use the Office cloud policy service to create and manage cloud-based policies for Office – Create and manage service requests – Manage the What’s New content that users see in their Office apps – Monitor service health

Best Practice

There are some best practice guidelines for handling admin roles within 365 admin that you should be aware of;

Limit the number of global admins – Microsoft recommend having 2 to 4 global admins. You will want more than one global admin but as they have unlimited access they represent a security threat. Therefore having the minimum number possible is a good practice.

Always assign the last permissions possible – admins who need to complete a particular task should be given the ability to do just that task. For example, if you need someone to reset passwords don’t give them the global admin role instead grant them the password admin or helpdesk admin roles.

Require multi-factor authentication – you should ideally configure multi-factor authentication (MFA) for all of your uses. But admins should defeinitely be required to use MFA. This is because even if their passwords are compromised it is useless without the second form of authentication.

Security Groups

When a user is assigned a Dynamics 365 license they then have rights to access all instances (CDS databases) within the tenant.

Note: They do still need to be granted a security role within the instance to access Dynamics 365 records.

It might be that you need to restrict which instances a user can work with. Security groups can be defined in 365 admin and leveraged for this purpose.

First you create a security group in 365 admin and add users. You do this using the “add a group” option in the 365 admin center, shown below;

Now set the group type to be security …..

And give it a name and description as required.

Once your group has been created you can add members (users) into the security group.

Now your security group is created you can open your Dynamics 365 instance in the power platform Dynamics 365 admin center and associate the security group with your instance. Doing this will mean that only users included in the security group can access that CDS database.

A few things to note about security groups:

When a security group is associated with an existing environment, all users in the environment that are not members of the group will be disabled.
If an environment does not have an associated security group, all users with a license will be created as users and enabled in the environment.
If a security group is associated with an environment, only users with licenses that are members of the environment security group will be created as users in the Common Data Service environment.
When you assign a security group to an environment, that environment will not show up in home.dynamics.com for users not in the group. (Meaning they won’t even see the environment!)
If you do not assign a security group to an environment, the environment will show up in home.dynamics.com for all users even for those who have not been assigned a security role.
If you do not specify a security group, all users who have a license, will be added to the new environment.

Hopefully this post has given you a good overview of the admin roles in Office 365 and explained the key points you’ll need to revise for your MB-200 exam.