Recommended Permissions and Management Actions

Modified on Tue, 21 Jun 2022 at 11:35 PM

CoreView provides the ability to create a set of admin roles that can be assigned to operators in your organization. Each admin role maps to common business functions and gives people in your organization permissions to read specific data and do specific tasks in Microsoft 365. 

Security guidelines for assigning roles

Because admins have access to sensitive data and files, we recommend that you follow these security guidelines to keep your organization's data more secure.

  • Have 2 to 4 global admins - Because only another global admin can reset a global admin's password, it is recommended that you have at least 2 global admins in your organization in case of account lockout. But the global admin has almost unlimited access to your org's settings and most of the data, so it is also recommended that you do not have more than 4 global admins because that is a security threat.
  • Assign the least permissive role - Assigning the least permissive role means giving admins only the access they need to get the job done. For example, if you want someone to reset employee passwords you should not assign the unlimited global admin role, you should assign a limited admin role, like User admin or Helpdesk admin. This will help keep your data secure.
  • Require multi-factor authentication for admins - It is a good idea to require MFA for all your users, but admins should be required to use MFA to sign in. MFA makes users enter a second method of identification to verify they are who they say they are. Admins can have access to a lot of customer and employee data and if you require MFA, even if the admin's password gets compromised, the password is useless without the second form of identification.


CoreView Permissions and the associated Management Actions

Exchange admin

Assign the Exchange admin permission to users who need to view and manage your user’s email mailboxes, Microsoft 365 groups and Exchange Online.

 

Exchange admins can also:

  • Recover deleted items in a user’s mailbox
  • Configure Archiving and Deletion Polices
  • Configure Anti-Spam protection
  • Set up “Send As” and “Send on Behalf” delegates

CoreView Exchange admin management actions:

Mailbox

  • Edit mailbox type
  • Check if mailbox exists
  • Convert to shared mailbox
  • Copy permissions from
  • Copy permissions to
  • Create mailbox
  • Create resource mailbox
  • Create shared mailbox
  • Assign contacts folder delegate
  • Edit equipment mailbox
  • Edit mailbox
  • Edit room mailbox
  • EditSharedMailbox
  • Enable mailbox audit
  • Forward address
  • Forward SMTP address
  • Grant access to mailboxes
  • Grant access to users
  • Grant full access to manager
  • Manage archive
  • Manage calendar permissions
  • Manage CAS
  • Manage Clutter (Deprecated)
  • Manage litigation hold
  • Manage quarantine messages
  • Manage quota
  • Manage SendAs permissions
  • Regional settings
  • Remove mailbox
  • Remove contacts delegate
  • Remove access rights from mailbox
  • Remove mailbox permissions rights
  • Set archive name
  • Grant send on behalf of to mailbox
  • Configure auto reply

Microsoft 365 Groups

  • Add members to Microsoft 365 groups
  • Create Microsoft 365 group
  • Edit Microsoft 365 group
  • Manage Microsoft 365 group members
  • Remove members from Microsoft 365 group
  • Remove Microsoft 365 group
  • Restore Microsoft 365 deleted groups


Global admin

Assign the Global admin permission to users who need global access to most management features and data across Microsoft online services.

 

Only global admins can:

  • Reset passwords for all users
  • Add and manage domains

CoreView Global admin management actions:

  • All CoreView management actions are available


Global reader

Assign the global reader permission to users who need to view all data and settings in the M365 tenant in CoreView. The global reader admin cannot edit any settings. This role can be good when performing an audit.

CoreView Global reader management actions:

  • No CoreView management actions are available


Groups admin

Assign the groups admin permission to users who need to manage all groups – Distribution, Security, and Microsoft 365 Groups.

 

Groups admins can:

  • Create, edit, restore, and delete Microsoft 365 groups
  • Create, edit, restore, and delete Security groups
  • Create, edit, restore, and delete Azure Active Directory security groups

CoreView Groups admin management actions:

Microsoft 365 Groups

  • Add members to Microsoft 365 groups
  • Create Microsoft 365 group
  • Edit Microsoft 365 group
  • Manage Microsoft 365 group members
  • Remove members from Microsoft 365 group
  • Remove Microsoft 365 group
  • Restore Microsoft 365 deleted groups

Security Groups

  • Add members to security groups
  • Add security group members 
  • Create security group 
  • Edit security group 
  • Remove security group 
  • Remove security group members

Distribution Groups

  • Add distribution group members
  • Add members to distribution groups
  • Create distribution group
  • Edit distribution group
  • Grant access to distribution group
  • Remove distribution group
  • Remove distribution group delegation
  • Remove distribution group members

Mail Contact

  • Create mail contact
  • Create mail user
  • Edit mail contact
  • Edit mail user
  • Remove mail contact
  • Remove mail user


Helpdesk admin

Assign the Helpdesk admin permission to users who need to do the following:

  • Reset passwords
  • Force users to sign out
  • Monitor service health

CoreView Helpdesk admin management actions:

User

  • Manage password 
  • Revoke user sessions


License admin

Assign the License admin permission to users who need to do the following:

  • Assign and remove licenses from users
  • Edit user’s usage location

CoreView License admin management actions:

User

  • Manage licenses
  • Remove all licenses


SharePoint admin

Assign the SharePoint admin permission to users who need to access and manage the SharePoint Online admin center.

SharePoint admins can also:

  • Create and delete sites
  • Manage site collections and global SharePoint settings

CoreView SharePoint admin management actions:

SharePoint

  • Add SharePoint owners in bulk
  • Create SharePoint site
  • Delete SharePoint site
  • Manage SharePoint owners
  • Remove SharePoint owners in bulk
  • Remove site from recycle bin
  • Restore site from recycle bin
  • Set SharePoint quota


Teams Service admin

Assign the Teams service admin permission to users who need to access and manage the Teams admin center.

Teams service admins can also:

  • Manage meetings
  • Manage conference bridges
  • Manage all org-wide settings, including federation, Teams upgrade, and Teams client settings

CoreView Teams service admin management actions:

Teams

  • Add members to Teams groups
  • Assign - unassign Teams resource account
  • Create Teams auto attendant
  • Create Teams call queue
  • Create Teams group
  • Create Teams group channel
  • Create Teams resource account
  • Edit Teams auto attendant
  • Edit Teams call queue
  • Edit Teams group
  • Edit Teams group channel
  • Edit Teams resource account
  • Free phone number from Teams resource account
  • Manage phone number
  • Manage Teams group members
  • Manage Teams policies
  • Remove Teams auto attendant
  • Remove Teams call queue
  • Remove Teams group
  • Remove Teams group channel


User admin

Assign the User admin permission to users who need to do the following for all users:

  • Add users and groups
  • Assign licenses
  • Manage most user properties
  • Create and manage user views
  • Update password expiration policies
  • Manage service requests
  • Monitor service health
  • Manage usernames
  • Reset passwords
  • Force users to sign out

CoreView User admin management actions:

User

  • Add tags
  • Clone user 
  • Create user 
  • Edit sign-in status
  • Edit user properties 
  • Edit users’ properties in bulk
  • Flush tags
  • Invite guest user 
  • Manage licenses
  • Manage MFA 
  • Manage password 
  • Manage service plans
  • Manage tags
  • Password never expires 
  • Remove all licenses
  • Remove guest user 
  • Remove tags
  • Remove user 
  • Remove user from recycle bin 
  • Rename user
  • Reset MFA 
  • Restore user 
  • Revoke user sessions
  • Set portal attribute


Published: 01/14/2021 

Updated: 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article