While working with a client on Azure Privileged Identity management and locking down who can access Exchange Online with Just-in-Time access I came across an area in Office 365 Privileged access management (PAM) which allows more granular permissions over administrative tasks in Exchange Online.
Although at present PAM only supports granular permissions for Exchange Online, there are plans to expand the service to other Office 365 workloads.
Exchange Role Management role permission needs to be assigned to accounts that manage privileged access (or Global Admin).
PAM requires one of the following licenses:
- Microsoft 365 E5 subscription.
- Microsoft 365 E3 subscription.
- Microsoft 365 A5 subscription.
- Microsoft 365 A3 subscription.
- Office 365 Enterprise E5 subscription.
- Office 365 Enterprise E3 subscription.
The steps for using PAM are:
Go to the PAM section in the Office 365 tenant.
- The global admin sets up privileged access management group for authorizing PAM requests. (The approvers are added to this group)
- Create a policy for a role, task or role group and choose the approval type as manual or auto. In this example I have chosen the “Add mail permission” task.
When an admin now tries to add mailbox permissions to a mailbox they are prompted to raise and elevated request to perform the task.
The approvers will receive an email and need to access PAM in Office 365 portal to approve or deny the request. If approved the Admin will receive an email with information to let them know they can now add mailbox permissions.